----------------------------------                                 __  __  __ ___    __  __
The NagraVision3 hacking FAQ                                      /_/ /_/ /_/ | |   /_/ /_/
Revision: 00000000                                                |_|/_/ /_/  |_|  /_/  |_|
                                                                  | || | | |  | |  | |  | |
                                                                  --  --  --   -    --   --
Contents:          

0: Openers
  0.1: Introduction/About me
  0.2: Where to find this FAQ
  0.3: Contributors
  0.4: Detractors
1: The T=1 protocol
  1.1: NagraVision2 ATR
  1.2: NagraVision's packet structure I: The ISO-specified portion
  1.2.1: Chained messages
  1.3: NagraVision's packet structure II: The IRD-to-CAM information field
  1.4: NagraVision's packet structure III: The CAM-to-IRD information field
  1.5: The status word
2: Commands
  2.1: Command list
  2.2: Command lengths, expected replies, and reply lengths
  2.3: Command breakdown
     2.3.Rom152.CMD.04: CMD $04/RSP $84 Entitlement Management Message (EMM)
     2.3.Rom152.CMD.07: CMD $07/RSP $87 Entitlement Control Message (ECM)
     2.3.Rom152.CMD.12: CMD $12/RSP $92 Serial Number Request
     2.3.Rom152.CMD.15: CMD $15/RSP $95 Processing cycle request
     2.3.Rom152.CMD.17: CMD $17/RSP $97 Special Entitlement Management Message Cmd17 (EMM)
     2.3.Rom152.CMD.18: CMD $18/RSP $98 Special Entitlement Management Message Cmd18 (EMM)
     2.3.Rom152.CMD.1A: CMD $1A/RSP $9A Control Word Request (video decryption key request)
     2.3.Rom152.CMD.1C: CMD $1C/RSP $1C Control Word Request (video decryption key request)
     2.3.Rom152.CMD.22: CMD $22/RSP $A2 Data item request
     2.3.Rom152.CMD.2A: CMD $2A/RSP $AA MECM key request
     2.3.Rom152.CMD.2B: CMD $2B/RSP $AB MECM key update
     2.3.Rom152.CMD.32: CMD $32/RSP $F2 Request for encryption of data to be sent in callback
     2.3.Rom152.CMD.33: CMD $33/RSP $F3 Request for data encrypted by previous command $32
     2.3.Rom152.CMD.48: CMD $48/RSP $78 Special Entitlement Management Message Cmd48 (EMM)
     2.3.Rom152.CMD.49: CMD $49/RSP $79 Get EMMPlaintext from Cmd48
     2.3.Rom152.CMD.4A: CMD $4A/RSP $7A Special Encrypt Message Cmd4A
     2.3.Rom152.CMD.64: CMD $64/RSP $E4 Write IRD info
     2.3.Rom152.CMD.65: CMD $65/RSP $E5 Get IRD Command from EmmCmd64
     2.3.Rom152.CMD.68: CMD $68/RSP $E8 Process UROM2 Data
     2.3.Rom152.CMD.69: CMD $69/RSP $E9 Process UROM2 Data
     2.3.Rom152.CMD.6A: CMD $6A/RSP $EA Update Provider Filter
     2.3.Rom152.CMD.6B: CMD $6B/RSP $EB Update and play with DecryptKey no 7A and Provider Filter
     2.3.Rom152.CMD.6C: CMD $6C/RSP $EC Update Provider Filter
     2.3.Rom152.CMD.6D: CMD $6D/RSP $ED Update or Create DecryptKeyno24
     2.3.Rom152.CMD.C4: CMD $C4/RSP $84 Special Entitlement Management Message CmdC4 (EMM)
     2.3.Rom152.CMD.C7: CMD $C7/RSP $B7 Request for ID of updated data items
     2.3.Rom152.CMD.C8: CMD $C8/RSP $B8 Request for date/time
			27Rom Total
     2.3.FW.CMD.05:     CMD $05/RSP $85 unknow
     2.3.FW.CMD.08:     CMD $08/RSP $88 unknow
     2.3.FW.CMD.16:     CMD $16/RSP $96 unknow
     2.3.FW.CMD.19:     CMD $19/RSP $99 unknow
     2.3.FW.CMD.27:     CMD $27/RSP $A7 unknow
     2.3.FW.CMD.28:     CMD $28/RSP $A8 unknow
     2.3.FW.CMD.29:     CMD $29/RSP $A9 unknow
     2.3.FW.CMD.2C:     CMD $2C/RSP $AC unknow
     2.3.FW.CMD.2D:     CMD $2D/RSP $AD unknow
     2.3.FW.CMD.63:     CMD $63/RSP $E3 unknow
     2.3.FW.CMD.6E:     CMD $6E/RSP $EE unknow
     2.3.FW.CMD.C9:     CMD $C9/RSP $B9 unknow
			12FW Total
  2.4: Basic command sequences
     2.4.1: Finding out if the card is busy or has new information
     2.4.2: Finding out what data types in the card's database have changed
     2.4.3: Retrieving a specific data item from the card
     2.4.4: Getting the data required to decrypt the video stream
3: EMM commands
  3.1: EMM command list
  3.2: EMM command breakdown
     3.2.01: EMM command $01	Set up for EMM commands
     3.2.10: EMM command $10	Spending limit item create
     3.2.12: EMM command $12	Create subscription tier
     3.2.13: EMM command $13	PPV Service
     3.2.20: EMM command $20	Modify subscription dates
     3.2.46: EMM command $46	Create and update Dt08 ItemId0A
     3.2.47: EMM command $47	DT06 key update for key no 30 (CMD48)
     3.2.48: EMM command $48	Create and update Dt08 ItemId0A
     3.2.49: EMM command $49	Create and update Dt08 ItemId0A
     3.2.42: EMM command $42	DT06 key update
     3.2.4F: EMM command $4F	CW Extra encryption
     3.2.54: EMM command $54	Update blackout bytes
     3.2.81: EMM command $81	Master program provider activation
     3.2.83: EMM command $83	Change EMM system ID
     3.2.64: EMM command $64	Encrypt IRD command
     3.2.90: EMM command $90	Create ItemID0B
     3.2.85: EMM command $85	Create ItemID04
     3.2.9F: EMM command $9F	EmmHeader for nextemmcmd by Cmp UpstatMsb:Lsb
     3.2.A1: EMM command $A1-AF Emm Filter by CamId
     3.2.B1: EMM command $B1	Execute code from RAM
       3.2.B1.0801 List: Emm Command $B1 List of packet 41 42 43 44 45 46 47
     3.2.C4: EMM command $C4	EmmCmdXX with Extra encryption Layer
     3.2.C5: EMM command $C5	WriteEEp at 311E and 311F and Update Date_Copy
     3.2.E0: EMM command $E0	ItemID Update
     3.2.E3: EMM command $E3	Write eeprom
       3.2.E3: EMM command $E3   Write eeprom, Sub section all EmmcmdE3 packet for Rom102Rev241 to Rom102Rev242
	3.2.E3: EMM Command $E3   write eeprom,	Sub Section Understand EmmcmdE3 by dasm
     3.2.F3: EMM command $F3    
4: 21-xx data types
  4.1: Data type list
  4.2: Data type breakdown
	4.2.00: Data Type$00	Mapped ItemID[01] - IRD INFO
	4.2.01: Data Type$01	Mapped ItemID[02] - System Type
	4.2.02: Data Type$02	Mapped ItemId[03] - 
	4.2.03: Data Type$03	Mapped ItemID[04] - 
	4.2.04: Data Type$04	Mapped ItemID[05] - Provider Info
	4.2.--: Data Type$--	Mapped ItemID[06] - Decrypt Keys
	4.2.05: Data Type$05	Mapped ItemID[07] - Tier
	4.2.06: Data Type$06	Mapped ItemID[08] - Provider Filter
	4.2.07: Data Type$07	Mapped ItemID[09] - Spending Limit
	4.2.08: Data Type$08	Mapped ItemID[0A] - DT08+C8
	4.2.  : Data Type$	Mapped ItemID[0B] - 
	4.2.  : Data Type$	Mapped ItemID[0C] - 
	4.2.  : Data Type$	Mapped ItemID[FF] - DTMatchany
5: The backdoors
  5.1: The backdoor passwords
  5.2: The backdoor commands
6: Inside NagraVision cards
  6.1: The MCU core
  6.2: AA-06 vs AA-07
7: Glossary
  7.1: Glossary
8: Encryption
  8.1: ECM encryption
     8.1.1: The encryption algorithm
  8.2: EMM encryption
  8.3: The valid hash
9: Hacks
10: Firmware versions of the various E* cards
  10.102: ROM152 firmware versions
11: Writing code for NagraVision cards
  11.3: ROM152 cards
     11.3.1: Bug-catcher modules
     11.3.2: Hooking in a bug-catcher
     11.3.3: Useful routines and memory locations
        11.3.3.1: Utility routines
        11.3.3.2: Database routines
        11.3.3.3: Low-level routines
        11.3.3.4: Encryption/decryption routines
     11.3.4: Memory usage
        11.3.4.1: ZP RAM
        11.3.4.2: Other RAM
        11.3.4.3: Tables in ROM and EEPROM
 	11.3.5: MAPROM
13: Stream
  13.1:	Bootup sequence 0101
  13.2:	Bootup sequence 0101 cut
  13.3:	Bootup sequence 0801
  13.4:	Bootup sequence 0801 cut
  13.8:	Nagra_3_config1.1.cfg for T-Rex Nagra-Tool
  13.9:	DASM ROM152_ND13_A0FF-INTERCEPT-autoVCC_20.XVB	
	Blockerv7 Backdoor dasm
	Blockerv7 emmhandler dasm
        22sk dasm
   _____________________________________________________________________________________________________
  /|                                                                                                   /|
 / |                                                                                                  / |
/__|_________________________________________________________________________________________________/  |
|  |                                                                                                 |  |
|  |     Special thanks to Stunteam, Stuntguy, No1b4me,Bobigboys,IDAPRO,Dbdan,                       |  |
|  |_________________________________________________________________________________________________|__|
|  /                                                                                                 |  /
| /                                                                                                  | /
|/___________________________________________________________________________________________________|/

#####################################################################################################
#####################################################################################################


#####################################################################################################
#####################################################################################################
#section00: Openers
#0: Openers
#####################################################################################################
hello

#####################################################################################################
#####################################################################################################
#  1.1: NagraVision2 ATR
#
#####################################################################################################

  3F ...                                              Convention
   |
   |_____________ Inverse convention (data is inverted)

  FF 95 00 FF 91 ...                                  Initial parm setup
   |  |  |  |  |
   |  |  |  |  |_ Td1=91 (Ta2 and Td2 will be sent, Protocol is async
   |  |  |  |              half duplex block format)
   |  |  |  |____ Tc1=FF (Guard time=257 bits)
   |  |  |_______ Tb1=00 (No Vpp)
   |  |__________ Ta1=95 (F=512, D=16; Bit period=(512/16) (32) clocks)
   |_____________  T0=FF (Ta1, Tb1, Tc1, and Td1 will be sent, 15
                           historical characters will be sent)

  81 71 ...                                           Secondary parameters
   |  |
   |  |__________ Td2=71 (Ta3, Tb3, and Tc3 will be sent, protocol is async
   |                       half duplex block format)
   |_____________ Ta2=81 (Mode change not allowed, Protocol is async half
                           duplex block format)

  FF 47 00 ...                                        T=1 specific parameters
   |  |  |
   |  |  |_______ Tc3=00 (LRC (XOR-type) error checking to be used)
   |  |__________ Tb3=47 (Char wait time is 25 bit times, block wait time
   |                       is 634.9 mSec + 11 bit times) (1 bit time=7.111
   |                       uSec)
   |_____________ Ta3=FF (Receive block size=0xFF bytes (255 bytes decimal)

  44 4E 41 53 50 53 30 31 20 52 65 76 36 34 30 ...    Historical bytes
   |                                         |
   |_____ ___________________________________|
         |
         |_______ ASCII text: "DNASPS01 Rev640".  

  05
   |_____________ Checksum (all other bytes XORed together except the First "3F"byte)

#####################################################################################################
#####################################################################################################
#  1.2: NagraVision's packet structure I: The ISO-specified portion
#
#####################################################################################################

Bit convention note (C/P from wapo source) , and meltro correction
		------------------------------------------------------------ 
		 NOTE: For RS-232, the output is normally low.
		 We must drive it high for start, stop, or data bits.
		 Using 115,200 baud, 1 start bit, 1 stop bit, no parity bit.
		 Order of bits sent is:
		 Start, LSB.....MSB, Stop


		 NOTE: For ATR message (from CAM to IRD at ~12,097 baud):
		
		 Bits are inverted (1 vs 0), i.e. if you want to send
		 a 1 then you drive the pin low.
		 1 start bit (always 1, which is 0 volts),
		 8 data bits,
		 3 stop bits (always 0, which is 5 volts), 
		 no parity bits.
		 Order of bits sent is:
		 Start, MSB.....LSB, Stop
		 This is backwards from the way RS-232 does it.
		 Bit duration is 82.7 uS
		 Byte duration is 992 uS




		 Data rate specified for IRD/CAN normal comms is 140,625.
		 Bits are inverted (1 vs 0), i.e. if you want to send
		 a 1 then you drive the pin low.
		 1 start bit (always 1, which is 0 volts),
		 8 data bits,
		 2 stop bits (always 0, which is 5 volts), 
		 no parity bits.

		 Or is it 1 parity and 1 stop?
		
		 Order of bits sent is:
		 Start, MSB.....LSB, Stop
		 This is backwards from the way RS-232 does it.
		 Bit duration is 7.11 uS
		 Byte duration is 78.2 uS
		------------------------------------------------------------ 
#####################################################################################################
#####################################################################################################
#section1.5
#The status word
#####################################################################################################
N1 + N2 status word

        SW1     SW2     Meaning
        ------  ------  -----------------------------------------------
        63      00      Password(s) incorrect
        69      82      Need password for access to backdoor commands
        69      85      EEPROM data area pointer no good (Doesn't point to
                         an address in the $Exxx range)
        69      86      Bad address in backdoor read/write memory command
        6A      00      P1 and/or P2 byte incorrect
        6B      00      Incorrect reference
        6C      FF      Requested too few data bytes in $21 command
        6D      00      Instruction not supported
        6E      00      CLA not supported
        6E      00      P1 and/or P2 byte incorrect (note: This is a bug in
                         the ROM3 code...in theory, this situation should
                         produce an SW1/SW2 of 6A 00, but it doesn't (in fact,
                         nothing does))
        6F      00      Command not supported
        90      00      Command completed successfully

	90	01	???



#####################################################################################################
#####################################################################################################
#section2.1 commands
#Nagra1 and Nagra2 Command list From Rom and Firmware
#####################################################################################################
A0 CA 00 00 HEADER Command list, ROM2-3-10-11-101(007)-102(103)-S01(640)
(always need correction somewhere in table)
-----   ------  ------  -----   ------  -----   ------------------------------------------------------------
                 Data		RSP	
CMD #FW Length  Length  RSP #   Length  Type     Description
-----   ------  ------  -----   ------  -----   ------------------------------------------------------------
00  Y	  00	  Varies  00	  00	  N1	  Entitlement Management Message (EMM)
00  Y	  4D	  53	  80	  05	  N1	  Entitlement Management Message (EMM)
01  Y	  4D	  53	  81	  05	  N1	  PPV Entitlement Management Message
02  Y	  4D	  53	  82	  05	  N1	  MECM key update
03  Y	  00	  Varies  83	  05	  N1	  Entitlement Control Message
04  Y	  00	  Varies  84	  02	  N2	  Entitlement Management Message (EMM)
04  Y	  00	  Varies  84	  02	  N2	  Entitlement Management Message (EMM)
05  Y	  00	  Varies  85	  05	  ??
07  Y	  00	  Varies  87	  02	  N2	  Entitlement Control Message
08  Y	  00	  Varies  88	  04	  ??
12  Y	  02	  08	  92	  06	  N1/N2   Serial Number Request
13  Y	  03	  09	  93	  00	  N1	  Control Word Request (video decryption key request)
14  Y	  02	  08	  94	  06	  N1	  Processing cycle request
15  Y	  02	  08	  95	  08	  N2	  Processing cycle request
16  Y	  00	  Varies  96	  04	  ??
17  Y	  00	  Varies  97	  02	  N2	  Special Entitlement Management Message Cmd17 (EMM)
18  Y	  00	  Varies  98	  02	  N2	  Special Entitlement Management Message Cmd18 (EMM)
19  Y	  00	  Varies  99	  04	  ??
1A  Y	  02	  08	  9A	  00	  N2	  Control Word Request (video decryption key request)
1C  Y	  02	  08	  9C	  36	  N2	  Control Word Request (video decryption key request)
20  Y	  06	  0C	  A0	  03	  N1	  Data items available request
21  Y	  00	  Varies  A1	  00	  N1	  Data item request
22  Y	  03	  09	  A2	  00	  N2	  Data item request
26  Y	  07/02	  0D/08	  A6/86	  42/00	  N2
27  Y	  47	  4D	  A7	  02	  ??
28  Y	  03	  09	  A8	  1A	  ??
29  Y	  02	  08	  A9	  04	  ??
2A  Y	  02	  08	  AA	  42	  N2	  MECM key request
2B  Y	  42	  48	  AB	  02	  N2	  MECM key update
2C  Y	  02	  08	  AC	  42	  ??
2D  Y	  42	  48	  AD	  02	  ??
30  Y	  05	  0B	  F0	  05	  N1	  Request for encryption of data to be sent in callback
31  Y	  02	  08	  F1	  52	  N1	  Request for data encrypted by previous command $30
32  Y	  05	  0B	  F2	  03	  N2	  Request for encryption of data to be sent in callback
33  Y	  02	  08	  F3	  00	  N2	  Request for data encrypted by previous command $32
40  Y	  02	  08	  70	  04	  N1	  EEPROM data space available request
41  Y	  00/02	  Varies  71/C1	  03/00	  N1/N2	  PPV buy write
42  Y	  09	  0F	  72	  03	  N1	  PPV buy link
48	  02	  08	  78	  02?	  N2	  Special Entitlement Management Message Cmd48 (EMM)	
49	  02	  08	  79	  56?	  N2	  Get EMMPlaintext from Cmd48
4A	  XX	  XX	  7A	  xx	  N2	  Special Encrypt Message Cmd4A
55	  05	  0B	  D5	  06	  N1	  Mail Read
56	  05	  0B	  D6	  06	  N1	  Delete Mail
60  Y	  02	  08	  E0	  42	  N1	  Get IRD command
61  Y	  16	  1C	  E1	  03	  N1	  Write IRD info
63  Y	  12	  18	  E3	  03	  ??
64  Y	  12	  18	  E4	  03	  N2	  Write IRD info
65  Y	  02	  08	  E5	  52	  N2	  Get IRD Command from EmmCmd64
68  Y	  00	  Varies  E8	  03	  N2	  Process UROM2 Data
69  Y	  00	  Varies  E9	  02	  N2	  Process UROM2 Data
6A  Y	  04	  0A	  EA	  02	  N2	  Update Provider Filter
6B  Y	  07	  0D	  EB	  02	  N2	  Update and play with DecryptKey no 7A and Provider Filter
6C  Y	  03	  09	  EC	  02	  N2	  Update Provider Filter
6D			  ED              N2	  Update or Create DecryptKeyno24
6E  Y	  00	  Varies  EE	  04	  N2
99  Y	  1A	  20	  99	  1A	  N1	  Anti-piracy message
C0  Y	  02	  08	  B0	  06	  N1/N2   CAM status request
C1  Y	  02	  08	  B1	  04	  N1	  Request for ID of updated data items
C4  Y	  00	  Varies  B4	  02	  N2	  Special Entitlement Management Message CmdC4 (EMM)
C7  Y	  02	  08	  B7	  04	  N2	  Request for ID of updated data items
C8  Y	  02	  08	  B8	  06	  N2	  Request for date/time
C9  Y	  00	  Varies  B9	  04	  ??
-----   ------  ------  -----   ------  -----   ------------------------------------------------------------
		Data		RSP			RSP	 Cmd
CMD #FW Length  Length  RSP #   Length  Type	Description
-----   ------  ------  -----   ------  -----   ------------------------------------------------------------
Y in table = Include in firmware list see below

From FW, Firmware 2700-2800
CMD
C0 12 99 60 40 14 C1 20-21 03 13 02 00 01 30 31
41 42 61 2C 2D 05 65 15-C8 22 C7 07 08 1C 1A 2A
2B 26 27 28 29 04 04 17-16 18 19 32 33 C4 C9 64
63 68 6E 69 6A 6B 6C 00

Length
02 02 1A 02 02 02 02 06-00 00 03 4D 4D 4D 05 02
00 09 16 02 42 00 02 02-02 03 02 00 00 02 02 02
42 07 47 03 02 00 00 00-00 00 00 05 02 00 00 12
12 00 00 00 04 07 03 00

RSP #
B0 92 99 E0 70 94 B1 A0-A1 83 93 82 80 81 F0 F1
71 72 E1 AC AD 85 E5 95-B8 A2 B7 87 88 9C 9A AA
AB A6 A7 A8 A9 84 84 97-96 98 99 F2 F3 B4 B9 E4
E3 E8 EE E9 EA EB EC 00

Rsp lengths:
06 06 1A 42 04 06 04 03-00 05 00 05 05 05 05 52
03 03 03 42 02 05 52 08-06 00 04 02 04 36 00 42
02 42 02 1A 04 02 02 02-04 02 04 03 00 02 04 03
03 03 04 02 02 02 02 00




#####################################################################################################
#####################################################################################################
#section2.2 commands
#Command Breakdown
#####################################################################################################

initial test was on virgin rom.
rom101 was 007
rom102 was 103
romS01 was 640

N3Rom Command and Firmware Command

#####################################################################################################
#####################################################################################################
#Cmd.04
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#04	  00	  Varies  84	  02	  N2	  Entitlement Management Message (EMM)
#04	  00	  Varies  84	  02	  N2	  Entitlement Management Message (EMM)
#####################################################################################################
S01 accept more big packet
each ecm or emm packet need more recent date than eeprom

768 bit 

CD 5C 06                    call    CmpZPtoZP3P               ; Compare ZP RAM to ZP RAM
                                                              ; (Params: Start1, Start2, Length)
             ; ---------------------------------------------------------------------------
8A                          dc.b {EMMBUFF+$A}                 ; Valid Date IF lower or equal
82                          dc.b {EMMBUFF+2}                  ; EEprom Date(2HL)Time(1H) from 30DD, 30DE,30DF,
03                          dc.b 3
             ; ---------------------------------------------------------------------------
23 1A                       jrule   DecodeECM_EMM_CompareDate_BADDATE ; Jump if (C + Z = 1)


  21 00 6D ; A0 CA 00 00                ;Standard header
             67                         ;Instruction length
             04                         ;Command
             65                         ;Command data length
             09 01                      ;Providor
             81 00 10                   ;Key select byte
             F5 F9 5D DE 10 A6 5D FB    ;Signature
             28 9D 78 5C 10 E1 CA 38    ;Encrypted Package #0
             1B A6 45 7E 9E 28 2C C6    ;Encrypted Package #1
             3F E2 90 1A 8F 64 DF EA    ;Encrypted Package #2
             20 34 E5 AD BB 94 E5 05    ;Encrypted Package #3
             8B A0 7B 22 51 20 47 98    ;Encrypted Package #4
             52 43 64 9E 55 7B 4E B6    ;Encrypted Package #5
             93 F5 45 1F 09 2D C7 FD    ;Encrypted Package #6
             5D A4 C0 87 1B E3 B1 1E    ;Encrypted Package #7
             8B B7 74 BC 90 C9 00 42    ;Encrypted Package #8
             A1 09 BF D0 76 EF 7D 10    ;Encrypted Package #9
             58 AB 77 FE 71 61 9B BB    ;Encrypted Package #A
             02                         ;Expected response length
             CA                         ;Checksum

  12 00 04 ; 84                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             02                         ;Checksum

Key select byte
81 00 10 or 81 00 90 Single CAM
82 00 10 or 82 00 90 All CAMs


  21 40 6D ; A0 CA 00 00
             67
             04
             65
             09 01
             82 00 90
             EE 73 55 9F B9 D5 02 7A
             64 1E 72 0E 3F 61 11 26
             D2 5C F2 AB DF 20 8D 89
             75 CB A5 23 2C C3 E6 52
             FD 60 F8 53 34 4B 28 6F
             64 1D 6D 94 FD 5E D9 D9
             47 80 5C AA 73 F1 4C 06
             7A 88 35 58 E8 5A 8F 37
             BA 18 EC 94 C5 40 58 7C
             59 46 4B DD FC B7 D3 BB
             4C A8 57 C7 43 11 8C D3
             6B 4F 87 07 DC D9 D9 4E
             02
             C4


             09 01						;Emmbuff+00, Provider
             13 E5 63 EA D8 B6					;Signature
             09 01						;PROVIDER  
             13 DB 00 01					;Date VALID EMMBUFF8A
             14 34 03 84					;Date2 Always compare with eepromDate30DD
             42 00 10 06 08 00 10 10   F2 6F 9D 76 A8 03 DF C7  ;Emmcmd42
             71 B1 BD F2 EA A1 D1 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 07 DC
             D9 D9 4E 02 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 




IDEA Keys in eeprom

00 --> Unknown
01 --> for EMM-S
02 --> for EMM-G
03 --> for EMM signing
06 --> for ECM
07 --> for ECM signing
09 --> for cmd 32/33
0B --> unknown
 



Ready to send packet:

21 00 6D A0 CA 00 00 67 04 65 09 01 81 00 10 F5 F9 5D DE 10 A6 5D FB 28 9D 78 5C 10 E1 CA 38 1B A6 45 7E 9E 28 2C C6 3F E2 90 1A 8F 64 DF EA 20 34 E5 AD BB 94 E5 05 8B A0 7B 22 51 20 47 98 52 43 64 9E 55 7B 4E B6 93 F5 45 1F 09 2D C7 FD 5D A4 C0 87 1B E3 B1 1E 8B B7 74 BC 90 C9 00 42 A1 09 BF D0 76 EF 7D 10 58 AB 77 FE 71 61 9B BB 02 CA

12 00 04 84 00 90 00 02 
#####################################################################################################
#####################################################################################################
#Cmd.05
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#05	  00	  Varies  85	  05	  ??
#####################################################################################################


Ready to send packet:
21 00 08 A0 CA 00 00 00 05 00 05 43

12 00 02 6F 00 7F   			Rom 101-102-S01 command not supported



#####################################################################################################
#####################################################################################################
#Cmd.07
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#07	  00	  Varies  87	  02	  N2	  Entitlement Control Message
#####################################################################################################
   This command is used to prime the card to return video decryption keys to
the IRD.  Contained within this command's encrypted packets are information
pertaining to the program tier the user is attempting to view, the correct
audio and video decryption keys for the channel, current date and time, and so
forth.  When a card receives a $1C command, it will re-encrypt the decryption
keys using the IRD's 8-byte key and return them to the IRD if it (the card)
believes that the program tier that the user is attempting to watch is one for
which they are authorized.
   In addition to information about the program that the user is attempting to
watch, the $07 command contains information about the encryption method used,
how many encrypted video keys are present, and so forth.

   Example of a $07 command and its response:

  21 00 4D ; A0 CA 00 00                ;Standard header
             47                         ;Instruction length
             07                         ;Command
             45                         ;Command data length
             01 01                      ;System ID
             86 00			;key select?
             88                         ;values = 08 or 88
             46 FE 13 E9 56 82 74 E1    ;Data Package #0
             6A 25 B4 75 9A 11 {D3} B2    ;Data Package #1
             {52 EC 50 6A} 5C 19 83 E7    ;Data Package #2
             48 B4 65 4C A5 47 2F 84    ;Data Package #3
             E6 C3 0B 16 A4 9A 4E AE    ;Data Package #4
             B7 01 41 0E E6 54 D8 2C    ;Data Package #5
             BC 9E 9B 5E 24 E6 48 CF    ;Data Package #6
             96 A9 E1 76 1A 2D F0 89    ;Data Package #7
             02                         ;Expected response length
             4C                         ;Checksum

  12 00 04 ; 87                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             01                         ;Checksum

Ready to send packet:
21 00 4D A0 CA 00 00 47 07 45 01 01 86 00 88 46 FE 13 E9 56 82 74 E1 6A 25 B4 75 9A 11 D3 B2 52 EC 50 6A 5C 19 83 E7 48 B4 65 4C A5 47 2F 84 E6 C3 0B 16 A4 9A 4E AE B7 01 41 0E E6 54 D8 2C BC 9E 9B 5E 24 E6 48 CF 96 A9 E1 76 1A 2D F0 89 02 4C

12 00 04 87 00 90 00 01
#####################################################################################################
#####################################################################################################
#Cmd.08
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#08	  00	  Varies  88	  04	  ??
#####################################################################################################

Ready to send packet:
21 00 08 A0 CA 00 00 00 08 00 04 4F

12 00 02 6F 00 7F   			Rom 101-102-S01 command not supported


#####################################################################################################
#####################################################################################################
#Cmd.12
#Rom:2-3-10-11-101-102-103-S01-
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#12	  02	  08	  92	  06	  N1/N2   Serial Number Request
#####################################################################################################
  This command is used by the IRD to request the CAM's serial number.  If you
look at the underside of your CAM, you'll see a 12-digit, bar-coded number.
This number is your CAM ID, and every CAM has a unique one.  The first 10
digits of the number are significant, and the last 2 are a 2-digit check code.
If you take the 10-digit serial number and convert it to hex, you'll have your
card's hex CAM ID.  For example, let's say your card's serial number is
00 5738 6394 07.  In this case, the serial number is 57386934.  In hex, that
would be 36BA59A.  The $12 packet and its response for this CAM would look 
like this:

  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             12                         ;Command
             00                         ;Command data length
             06                         ;Expected response length
             55                         ;Checksum

  12 00 08 ; 92                         ;Response code
             04                         ;Response data length
             03 6B A5 9A                ;CAM ID: 036BA59A (00 5738 6394 07)
             90 00                      ;SW1/SW2: Successful completion
             4B                         ;Checksum

  Note that the two-digit check code isn't included as part of the response.
This check code is only used by the Dish Network customer service drone to
ensure that you do (or at one time did), in fact, have physical possession
of the card when you call to subscribe.

Ready to send packet:
21 40 08 A0 CA 00 00 02 12 00 06 15 

12 00 08 92 04 03 9B 71 FF 90 00 0A

#####################################################################################################
#####################################################################################################
#Cmd.15
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#15	  02	  08	  95	  08	  N2	  Processing cycle request
#####################################################################################################

  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             15                         ;Command
             00                         ;Command data length
             08                         ;Expected response length
             5C                         ;Checksum

  12 00 0A ; 95                         ;Response code
             06                         ;Response data length
             0E
             55 55 60 0E 55
             90 00                      ;SW1/SW2: Successful completion
             2E                         ;Checksum

Ready to send packet:
21 00 08 A0 CA 00 00 02 15 00 08 5C

12 00 0A 95 06 0E 55 55 60 0E 55 90 00 2E
#####################################################################################################
#####################################################################################################
#Cmd.16
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#16	  00	  Varies  96	  04	  ??
#####################################################################################################

  21 00 08 ; A0 CA 00 00                ;Standard header
             00                         ;Instruction length
             16                         ;Command
             00                         ;Command data length
             04                         ;Expected response length
             51                         ;Checksum

  12 00 02 ; 6F 00 7F 			;Command not supported

Ready to send packet:
21 00 08 A0 CA 00 00 00 16 00 04 51	Rom 101-102-S01 command not supported
12 00 02 6F 00 7F 
#####################################################################################################
#####################################################################################################
#Cmd.17
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#17	  00	  Varies  97	  02	  N2	  Special Entitlement Management Message Cmd17 (EMM)
#####################################################################################################
appear to be cmd04 with two sub prepare,

UROM:6451             Command17:
UROM:6451 CD 5A C0                    call    Copy_to_RAM
UROM:6454 0E 64                       dc.w IOBUFFER6C			; SourceH, SourceL,
UROM:6456 03 CB                       dc.w unk_3CB			; DestH, DestL
UROM:6458 03                          dc.b 3				; Bytes Count (4N)

UROM:6459             Command18:                                        ; CODE XREF: CheckCMD04+6j
UROM:6459 C7 03 CA                    ld      byte_3CA, a               ; Load
UROM:645C CD 66 28                    call    ClearEMMECMFlags          ; Call subroutine
UROM:645F 16 63                       bset    STATS2, #3                ; Bit Set
UROM:6461 20 03                       jra     Command04_Decrypt_Init_JP ; Jump relative always


  21 00 08 ; A0 CA 00 00                ;Standard header
             00                         ;Instruction length
             17                         ;Command
             00                         ;Command data length
             02                         ;Expected response length
             56                         ;Checksum

  12 00 04 ; 97                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             11                         ;Checksum


Ready to send packet:
21 00 08 A0 CA 00 00 00 17 00 02 56

12 00 04 97 00 90 00 11 		Rom 101-102 command supported
12 00 02 6F 00 7F 			Rom S01 command not supported
#####################################################################################################
#####################################################################################################
#Cmd.18
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#18	  00	  Varies  98	  02	  N2	  Special Entitlement Management Message Cmd18 (EMM)
#####################################################################################################
appear to be cmd04 with one sub prepare


UROM:6459             Command18:                                        ; CODE XREF: CheckCMD04+6j
UROM:6459 C7 03 CA                    ld      byte_3CA, a               ; Load
UROM:645C CD 66 28                    call    ClearEMMECMFlags          ; Call subroutine
UROM:645F 16 63                       bset    STATS2, #3                ; Bit Set
UROM:6461 20 03                       jra     Command04_Decrypt_Init_JP ; Jump relative always


  21 00 08 ; A0 CA 00 00                ;Standard header
             00                         ;Instruction length
             18                         ;Command
             00                         ;Command data length
             02                         ;Expected response length
             59                         ;Checksum

  12 00 04 ; 98                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             1E                         ;Checksum


Ready to send packet:
21 00 08 A0 CA 00 00 00 18 00 02 59

12 00 04 98 00 90 00 1E			 Rom 101-102 command supported
12 00 02 6F 00 7F 			 Rom S01 command not supported
#####################################################################################################
#####################################################################################################
#Cmd.19
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#19	  00	  Varies  99	  04	  ??
#####################################################################################################

  21 00 08 ; A0 CA 00 00                ;Standard header
             00                         ;Instruction length
             19                         ;Command
             00                         ;Command data length
             04                         ;Expected response length
             5E                         ;Checksum
 
  12 00 02 ; 6F 00 7F 			;Command not supported

Ready to send packet:
21 00 08 A0 CA 00 00 00 19 00 04 5E	Rom 101-102-S01 command not supported
12 00 02 6F 00 7F 


#####################################################################################################
#####################################################################################################
#Cmd.1A
#Rom:102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#1A	  02	  08	  9A	  00	  N2      Control Word Request (video decryption key request)
#####################################################################################################
#################################################################################################
   This command is used by the IRD to request the decryption keys for the
channel to which the IRD is currently tuned.
Command 1A doesnt contain RandomData like 1C, but only for cmd07, contain ecm=

UROMPAGE00:8BAC 08 8E 08                    btjt    {EMMBUFF+$E}, #4, loc_8BB7 ; Jump if bit is true
UROMPAGE00:8BAF 27 4A                       jreq    Decode_CW_Cmd1A_processing ; Jump if Z = 1 (equal)
UROMPAGE00:8BB1 4A                          dec     a                         ; Decrement
UROMPAGE00:8BB2 27 47                       jreq    Decode_CW_Cmd1A_processing ; Jump if Z = 1 (equal)


IoBuff cleared FF but possible to read EC LEN
  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             1A                         ;Command
             00                         ;Command data length
             00                         ;Expected response length
             5B                         ;Checksum

  12 00 04 ; 9A                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             1C                         ;Checksum


Ready to send packet :
21 00 08 A0 CA 00 00 02 1A 00 00 5B

12 00 04 9A 00 90 00 1C 		Rom 102 command supported

12 40 02 6F 00 3F 			Rom 101-102-S01 command not supported


maximum is
21 00 08 A0 CA 00 00 02 1A 00 EE B5 

12 00 F0 9A EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 04 
#####################################################################################################
#####################################################################################################
#Cmd.1C
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#1C	  02	  08	  9C	  36	  N2	  Control Word Request (video decryption key request)
#####################################################################################################
   This command is used by the IRD to request the decryption keys for the
channel to which the IRD is currently tuned.  This command is a counterpart
to command $07.  The decryption keys are sent from the IRD to the CAM in an
encrypted form that the IRD doesn't know how to decode along with information
that tells the CAM which channel the IRD is tuned to.  If the CAM decides that
the user should be able to view the specified channel (ie., if there is a
valid subscription tier in the CAM for the specified channel), then when the
next $1C command is issued, the CAM will decrypt the data it was given in the
$07 command, re-encrypt it using a key and method known to the IRD, and send
the data back to the IRD, which will then decrypt the data and use it to
decrypt the video and audio data streams.  A typical $1C packet and it's
associated response would look like this:

  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             1C                         ;Command
             00                         ;Command data length
             36                         ;Expected response length
             6B                         ;Checksum

  12 00 38 ; 9C                         ;Response code
             34                         ;Response data length
             00 08			;Key Selet "00 00" "00 08"
             A1 23 D2 8F 0A 61 A5 04    ;Data #0
             10 15 79 90 62 BC B3 2E    ;Data #1
             7B 93 00 70 44 5A 5A 81    ;Data #2
             00 08			;Key Selet "00 00" "00 08"
             A8 8C 59 E7 E4 A9 CC C1	;Data #0
             B9 F4 56 E5 9F 23 25 1F	;Data #1
             D3 00 D0 BD B9 A8 FF ED	;Data #2
             90 00                      ;SW1/SW2: Successful completion
             EA                         ;Checksum

Ready to Send packet:
21 00 08 A0 CA 00 00 02 1C 00 36 6B

12 00 38 9C 34 00 08 A1 23 D2 8F 0A 61 A5 04 10 15 79 90 62 BC B3 2E 7B 93 00 70 44 5A 5A 81 00 08 A8 8C 59 E7 E4 A9 CC C1 B9 F4 56 E5 9F 23 25 1F D3 00 D0 BD B9 A8 FF ED 90 00 EA
#####################################################################################################
#####################################################################################################
#Cmd.22
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#22	  03	  09	  A2	  00	  N2	  Data item request
#####################################################################################################
Cmd $22 Data types (DT)				"Copy paste from DbDan observations"

   When the ird is polling for data types it will always start with the 
upper nibble 0x0.  If the data type returns non zero data then it will
poll with upper nibble 0x8.  If the data type keeps returning non-zero
data then the IRD will keep polling with upper nibble 0x8 until the ird
returns zero data.  When these data types are stored in the memory of the 
IRD they will all show the upper nibble 0x8 as can be seen with a ram dump 
of the IRD.

#####################################################################################################
#####################################################################################################
#Section2.2.22A Command
#Data type $xx				
#####################################################################################################
Data type $00

   This is information on the IRD that the CAM is married to.  It includes such
information as the married IRD's serial number, the ZIP code and time zone
where the subscriber is located, information on the IRD's software revision
level.  Nagra2 DT $00 has replaced Nagra1 DT $01.  The structure of the $00 data 
type is as follows:


  21 40 09 ; A0 CA 00 00
             03
             22
             01
             00				;DT 00
             39				;Expected response length
             1B


  12 40 3B ; A2
             37
             
             2A				;Response data length
             FF				;
             90				;
             00 00			;
             00 01			;System type (00 01 = Dish; 08 01 = Bev)
             01				;IRD Status byte
             E1				;Time zone
             01 01 01			;
             xx xx xx xx		;IRD #
             00 00			;
             00 01 5C 23		;Zip code= 89123
             12 0F			;Expire Date
             A8 BE			;Expire Time
             10				;Length of IRD description
             xx xx xx xx		;IRD # in reverse
             32 31 43 42		;IRD bootstrap in ascii
             44 43 38 44		;IRD build code in ascii
             50 32 32 33		;IRD firmware in ascii
             
             00 00 00 00 00 00 00 00 00 00 00 00
             90 00
             2A


   It's interesting to note that the "system type" field is pretty much the
same as the "system ID" field that appears in other data types, except that
in "system ID", the low bit of the high byte seems to be always set, while in
"system type" it seems always to be clear.
   The CMD $64 will write the IRD description info to the card.  But CMD $04 
writes the remainder of the bytes.

  IRD status byte: Several status flags relating to the IRD and/or
subscription are passed in this byte as follows:

***Note***  Uncertain as of yet.  00 and 01 are only ones seen so far.

  Time zone encoding: The time zone is expressed as an 8-bit signed integer
which represents the number of 15-minute ticks that need to be added or sub-
tracted from GMT.  Thus, 00 is GMT, FF is GMT minus 15 minutes, etc.  The
following table details CONUS time zones:


  Time    Offset    Offset    Time zone    Time zone
  Zone    (hours)   (ticks)   byte (dst)   byte (std)
  ----    -------   -------   ----------   ----------
  PST     GMT-8     GMT-31        E5           E1
  MST     GMT-7     GMT-27        E9           E5
  CST     GMT-6     GMT-23        ED           E9
  EST     GMT-5     GMT-19        F1           ED


 ***Note*** The DST is an assumption as I haven't seen it yet.

  Note that NagraVision handles daylight savings time by simply adjusting the
time zone byte for all IRDs in areas that are affected by daylight savings
time, causing the time to shift an hour back in the fall/winter (on the last
Sunday in October) and an hour forward in the spring/summer (on the
first Sunday in April).


	TZ	Zip Hex		Zip dec
	E1	00 01 5C 23	89123	Las Vegas, NV
	ED	00 00 0D 3E	03390	somewhere in eastern canada
	E9	00 01 36 35	79413	Lubbock, TX
	E9	00 00 8C B9	36025	Elmore, AL
	E9	00 01 29 1F	76063	Mansfield, TX
	ED	00 00 7F E2	32738	DELTONA, FL
	E9	00 01 26 E6	75494	WINNSBORO, TX
	E9	00 00 A4 57	42071	MURRAY, KY
	ED	00 00 84 1F	33823	AUBURNDALE, FL
	ED	00 00 7D 35	32053	JENNINGS, FL
	E9	00 01 13 EA	70634	DERIDDER, LA
	E4	00 01 4D 06	85254	SCOTTSDALE, AZ (12/22/2004)Doesn't observe DST


Data type $01

  Type $01 is information about alternate programming providers and/or
customer-specific interests.  This data type seems to be used only to allow
filtering of EMM commands to specific groups of cards, which could either be
cards subscribed to a particular package or programming provider (this would
be similar to the old situation with DirecTV where DirecTV and USSB both
provided programming to DSS customers), or cards belonging to customers that
have been itentified by their master programming provider as having specific
interests (ie., ethnic channels, sports packages, porn channels, religious
programming, etc.).  The Nagra2 DT $01 has replaced the Nagra1 DT $02.  Data 
type $01 breaks down as follows:


  21 40 09 ; A0 CA 00 00
             03
             22
             01
             01				;DT 01
             0E				;Expected response length
             2D


  12 40 10 ; A2
             0C
             
             0B				;Response data length
             E0 00			;
             00 00			;
             09 01			;System ID (01 01 = Dish; 09 01 = Bev)
             00 00			;
             00 00 00			;
             
             90 00
             9F


Data type $02

  Doesn't appear to be in use but IRD calls for it anyway.


  21 40 09 ; A0 CA 00 00
             03
             22
             01
             02				;DT 02
             2F				;Expected response length
             0F


  12 40 31 ; A2
             2D
             00
             00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
             90 00
             7C


Data type $03

  Doesn't appear to be in use but IRD calls for it anyway.


  21 00 09 ; A0 CA 00 00
             03
             22
             01
             03				;DT 03
             1C				;Expected response length
             7D


  12 00 1E ; A2
             1A
             00
             00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
             90 00
             24


Data type $04


  21 40 09 ; A0 CA 00 00
             03
             22
             01
             04				;DT 04
             44				;Expected response length
             62


  12 40 46 ; A2
             42
             
             07				;Response data length
             C0 00			;
             00 00			;
             08				;System type - 00 = Dish & 08 = Bev
             00 00			;

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
             90 00
             AB


Data type $84

   This data type contains information about programming in general, so its
likely some sort of "programming provider" data type.  Included in this is
information about blackouts (which seems to be a bit mapped field).  In addition,
some type $84 data (one entry per card, as far as I can tell) seems to include
a telephone number...this is possibly the phone number that the IRD is
supposed to call when it wants to report PPV purchases and so on.  The Nagra2
DT $04/84 has replaced the Nagra1 DT $06.  This data has the following structure:


  21 00 09 ; A0 CA 00 00
             03
             22
             01
             84				;DT 84
             44				;Expected response length
             A2


  12 00 46 ; A2
             42
             
             41				;Response data length
             FF				;
             80				;
             00 00			;
             01				;01 = Dish ; 09 = Bev
             00 00			;
             10 EF			;Next regular Callback date = 11/14/2003
             07 01			;Next regular Callback time = 12:59:46 AM
             11 85			;Expire Date = 4/12/2004
             48 0D			;Expire Time = 10:14:50 AM
             00 00			;Last Callback date
             00 00			;Last Callback time
             B4				;Callback retry period
             00				;IRD status flag
             20				;Length of Blackout byte area + 00's
             32 00 15 00 3D 2E 39 34	;Blackout bytes
             24 27 00 1D		;Blackout bytes ; 1D = Las Vegas
             00 00 00 00 00 00		;--
             00 00 00 00 00 00		;  |-- Key0 and Key1 possibly
             00 00 00 00 00 00		;  |-- hidden in this area?
             00 00			;--
             0A				;Length of callback area
             18 00 26 79 08		;Callback phone #
             4F FF FF FF FF		;
             
             90 00
             E2


***IRD status flags seen 
00 = 0000 0000
01 = 0000 0001 = Current sub.?
02 = 0000 0010 = PPV has been purchased.?
0F = 0000 1111
14 = 0001 0100

Data type $05

   This data type contains information relating to the standard channel
services which the customer is subscribed to.  This information is used by the
CAM to decide whether a program whose data is passed in a $1C command is
viewable, and by the IRD to decide which channels to show in its EPG.  In a
typical subscribed card, this data type will have many entries.  
   This data type also includes the PPV DT's as well, except that it relates to
PPV events rather than normal channels.  Also to note is that the PPV DT $05 also 
includes the PPV description and sometimes date/time as was seen in the DT $11 
on Nagra1.  Nagra2 DT $05/$85 has replaced the $08, $0B, and $11 from Nagra1.
   Byte length varies from 1C-1E for reg tier to at least 4F for PPV tier.

   An example of a DT $05 is:

  21 00 09 ; A0 CA 00 00
             03
             22
             01
             05				;DT 05
             57				;Expected response length
             30


  12 20 58 ; A2
             55
             
             1D				;Response data length
             FF				;
             0C				;Tier type 0C
             00 00			;
             09 01			;System ID (01 01 = Dish ; 09 01 = Bev)
             01				;IRD status byte
             00 0A 8E			;Rights ID = 2702
             11 BD			;Expire date = 6/7/2004
             A8 BF			;Expire time = 11:59:58 PM
             01 82			;Lo tier ID
             00				;
             11 80			;Begin date = 4/7/2004
             00 00			;Begin time = 12:00:00 AM
             36 38			;Rights date = 1/1/2030
             A8 BE			;Rights time = 11:59:56 PM
             FF				;Theme
             00 FF			;Theme Extension
             01				;Level

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
             00 90
             DF


   Note that presenting this data to the IRD is not enough to receive
programming: the IRD will still depend on the CAM to provide the video
decryption keys, and if the CAM knows that a channel for which the IRD is
requesting information isn't subscribed, it won't return the proper keys.

Data type $85

   This is same as DT $05 but with upper nibble set to 0x8 for successive
tiers until a zero return is found.

  21 40 09 ; A0 CA 00 00
             03
             22
             01
             85				;DT 85
             57				;Expected response length
             F0


  12 20 58 ; A2
             55
             
             1E				;Response data length
             FF				;
             88				;Tier type 88
             00 00			;
             01 01			;System ID
             01				;IRD status byte
             00 03 B6			;Rights ID = 950
             12 0F			;Expire date = 8/28/2004
             A8 BE			;Expire time = 11:59:56 PM
             03 B6			;Lo tier ID
             00				;
             11 84			;Begin date = 4/11/2004
             00 00			;Begin time = 12:00:00 AM
             36 38			;Rights date = 1/1/2030
             A8 BE			;Rights time = 11:59:56 PM
             03 D1			;Hi tier ID
             FF				;Theme
             00 FF			;Theme Extension

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
             00 90
             7A


   For more info on DT $05/$85 see the tier comparison section.

Data type $06

   DT $06 seems similar to DT $01 except this DT has system type instead 
of system ID.


  21 00 09 ; A0 CA 00 00
             03
             22
             01
             06				;DT 06
             13				;Expected response length
             77


  12 00 15 ; A2
             11
             
             08				;Response data length
             E0 00			;
             00 00			;
             08 01			;System type (00 01 = Dish ; 08 01 = Bev)
             20				;Status byte
             00				;

             00 00 00 00 00 00 00 00
             90 00
             E5


Data type $07

   This data type relates to the user's spending limit and credit with the
program provider.  It's used to determine whether or not an impulse PPV
purchase will be allowed.  Nagra2 DT $07 has replaced Nagra1 DT $0C.
The data breaks down as follows:
21 00 09 A0 CA 00 00 03 22 01 07 20 45

  21 00 09 ; A0 CA 00 00
             03
             22
             01
             07				;DT 07
             20				;Expected response length
             45


  12 00 22 ; A2
             1E
             
             18				;Response data length
             FC 00			;
             00 00			;
             09 01			;System ID (01 01 = Dish ; 09 01 = Bev)
             01				;IRD status byte
             11 BC			;Date
             A8 BF			;Time
             00 03 63			;Credit in cash $3.99
             00 00 0A 00		;Debit in cash
             00				;
             00 32			;Phone home threshold
             FF FF FF			;

             00 00 00 00 00
             90 00
             8C

***Note***	IRD status bytes seen - 
01 = 0000 0001
41 = 0100 0001
81 = 1000 0001
C1 = 1100 0001



Data type $08

   Seems to be some sort of prepared callback data type.  It appears that only 
sub cams or ex-subs that have not been de-subbed are the only ones to return 
non-zero data but they don't always return data.

21 00 09 A0 CA 00 00 03 22 01 08 4B 21
  21 00 09 ; A0 CA 00 00
             03
             22
             01
             08				;DT 08
             4B				;Expected response length
             21


  12 00 4D ; A2
             49
             
             52				;Response data length
             F0 00			;
             00 00			;
             08 01			;System type (00 01 = Dish ; 08 01 = Bev)
             08 FF			;
             49				;Length
             80				;
             38 8C 90 98 98 C1 63 A4	;
             86 C7 B6 C8 56 49 04 27	;
             B2 D8 4C 01 C1 E8 2F 6C	;
             8C CD 1A E1 AA B6 73 9E	;
             DC F4 AC 2B 9F 02 E4 07	;
             9C 3E A1 FC 2A 19 F4 2F	;
             AD C2 B6 96 04 06 92 F7	;
             84 8F BB 0A 60 6F		;
             
             90 00
             CD


Data type $C8

   Same as DT $08 except upper nibble is set to 0xC and also the $22 command requests 
0xA bytes more then on the $08 above.

21 40 09 A0 CA 00 00 03 22 01 C8 55 BF
  21 40 09 ; A0 CA 00 00
             03
             22
             01
             C8				;DT C8
             55				;Expected response length
             BF


  12 40 57 ; A2
             53
             
             52				;Response data length
             F0 00			;
             00 00			;
             08 01			;System type (00 01 = Dish ; 08 01 = Bev)
             08 FF			;
             49				;Length
             80				;Decrypt key
             38 8C 90 98 98 C1 63 A4	;
             86 C7 B6 C8 56 49 04 27	;
             B2 D8 4C 01 C1 E8 2F 6C	;
             8C CD 1A E1 AA B6 73 9E	;
             DC F4 AC 2B 9F 02 E4 07	;
             9C 3E A1 FC 2A 19 F4 2F	;
             AD C2 B6 96 04 06 92 F7	;
             84 8F BB 0A 60 6F FB A8	;
             D4 E1 9F 6B 0B 69 AB C4	;
             
             90 00
             12

Data type $09

   DT $09 - DT $0F are only being included because according to logs the IRD 
polls for them.  So far I have seen nothing but zero values returned for these.


  21 40 09 ; A0 CA 00 00
             03
             22
             01
             09				;DT 09
             06				;Expected response length
             2D


  12 40 08 ; A2
             04
             00
             00 00 00
             90 00
             6C


Data type $0A


  21 00 09 ; A0 CA 00 00
             03
             22
             01
             0A				;DT 0A
             06				;Expected response length
             6E


  12 00 08 ; A2
             04
             00
             00 00 00
             90 00
             2C


Data type $0B


  21 40 09 ; A0 CA 00 00
             03
             22
             01
             0B				;DT 0B
             06				;Expected response length
             2F


  12 40 08 ; A2
             04
             00
             00 00 00
             90 00
             6C


Data type $0C


  21 00 09 ; A0 CA 00 00
             03
             22
             01
             0C				;DT 0C
             06				;Expected response length
             68


  12 00 08 ; A2
             04
             00
             00 00 00
             90 00
             2C


Data type $0D

  21 40 09 ; A0 CA 00 00
             03
             22
             01
             0D				;DT 0D
             06				;Expected response length
             29


  12 40 08 ; A2
             04
             00
             00 00 00
             90 00
             6C


Data type $0E


  21 00 09 ; A0 CA 00 00
             03
             22
             01
             0E				;DT 0E
             06				;Expected response length
             6A


  12 00 08 ; A2
             04
             00
             00 00 00
             90 00
             2C


Data type $0F


  21 40 09 ; A0 CA 00 00
             03
             22
             01
             0F				;DT 0F
             06				;Expected response length
             2B


  12 40 08 ; A2
             04
             00
             00 00 00
             90 00
             6C

#####################################################################################################
#####################################################################################################
#Section2.2.22B Command
#Tier break down				
#####################################################################################################
									thanks to Dbdan
   The DT $05/$85 tier types are all encompassing for both regular tiers and 
for PPV tiers.  There are 3 types of regular tiers as can be seen below:

   Tier type $08

1C FF 08 00 00 01 01 11 00 01 56 12 0F A8 BE 00 E6 00 11 84 00 00 36 38 A8 BE FF 00 FF ; Western Ch#342

1C		;Length
FF		;
08		;Tier type 08
00 00		;
01 01		;System ID = Dish
11		;IRD status byte
00 01 56	;Rights ID = 342
12 0F		;Expire date = 8/28/2004
A8 BE		;Expire time = 11:59:56 PM
00 E6		;LO tier ID
00		;
11 84		;Begin date = 4/11/2004
00 00		;Begin time = 12:00:00 AM
36 38		;Rights date = 1/1/2030
A8 BE		;Rights time = 11:59:56 PM
FF		;Theme
00 FF		;Theme Extension


   Tier type $0C
   This is the same as tier type 08 except has level added at end of tier.

1D FF 0C 00 00 09 01 01 00 0A 8E 11 BD A8 BF 01 82 00 11 80 00 00 36 38 A8 BE FF 00 FF 01 ; a bev tier

1D		;Length
FF		;
0C		;Tier type 0C
00 00		;
09 01		;System ID = Bev
01		;IRD status byte
00 0A 8E	;Rights ID = 2702
11 BD		;Expire date = 6/7/2004
A8 BF		;Expire time = 11:59:58 PM
01 82		;Lo tier ID
00		;
11 80		;Begin date = 4/7/2004
00 00		;Begin time = 12:00:00 AM
36 38		;Rights date = 1/1/2030
A8 BE		;Rights time = 11:59:56 PM
FF		;Theme
00 FF		;Theme Extension
01		;Level


   Tier type $88
Correction by Muah
type 88 is a package tier, and Dish sells packages more than individual channels?

Other:so one can assume that if the Tier is type 88, the following code is for a package? Individual tiers, Type 08, do not have a hi coz they represent 1 channel. Maybe hi and lo are the same so they are not repeated (instead of 800 like before)?

1E FF 88 00 00 01 01 01 00 03 B6 12 0F A8 BE 03 B6 00 11 84 00 00 36 38 A8 BE 03 D1 FF 00 FF ; CD Music Ch# 950 - 980

1E		;Length
FF		;
88		;Tier type 88
00 00		;
01 01		;System ID = Dish
01		;IRD status byte
00 03 B6	;Rights ID = 950
12 0F		;Expire date = 8/28/2004
A8 BE		;Expire time = 11:59:56 PM
03 B6		;Lo tier ID
00		;
11 84		;Begin date = 4/11/2004
00 00		;Begin time = 12:00:00 AM
36 38		;Rights date = 1/1/2030
A8 BE		;Rights time = 11:59:56 PM
03 D1		;Hi tier ID
FF		;Theme
00 FF		;Theme Extension


   Below are some examples of the PPV tiers.  One will notice that on Nagra2
they have combined the PPV tier and the description into 1 encompassing tier.  
The PPV tier can be of varying lengths and the format changes as well.

   Tier type $C0

2C FD C0 41 00 01 01 10 00 91 EE 11 A1 A8 BE 00 01 00 11 A1 A8 BE 7F FF 00 00 91 EE 00 03 63 00 0C 47 4F 54 48 49 4B 41 20 20 20 20 20

2C                       ;Response Data Length
FD                       ;
C0                       ;Tier Type
41 00                    ;
01 01                    ;System ID = Dish Network
10                       ;IRD Status Byte
00 91 EE                 ;LO PPV ID = 37358
11 A1                    ;Rights Date = May / 10 / 2004
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
11 A1                    ;Expire Date = May / 10 / 2004
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 00 91 EE              ;HI PPV ID = 37358
00 03 63                 ;Event Price = $3.99
00                       ;
0C                       ;PPV Data Length
47 4F 54 48 49 4B 41 20  ; GOTHIKA 
20 20 20 20              ;    


   Tier type $E0

30 FD E0 41 00 01 01 10 01 67 88 11 6C A8 BE 00 01 00 11 6C A8 BE 7F FF 00 01 67 88 C0 00 00 00 00 31 5F 00 0C 57 57 45 20 33 2F 31 34 20 20 20 20

30                       ;Response Data Length
FD                       ;
E0                       ;Tier Type
41 00                    ;
01 01                    ;System ID = Dish Network
10                       ;IRD Status Byte
01 67 88                 ;LO PPV ID = 92040
11 6C                    ;Rights Date = Mar / 18 / 2004
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
11 6C                    ;Expire Date = Mar / 18 / 2004
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 01 67 88              ;HI PPV ID = 92040
C0 00 00 00              ;
00 31 5F                 ;Event Price = $49.95
00                       ;
0C                       ;PPV Data Length
57 57 45 20 33 2F 31 34  ; WWE 3/14
20 20 20 20              ;     


   Tier type $E3

40 FD E3 61 00 01 01 30 01 12 EE 10 4C A8 BE 00 01 00 10 4C A8 BE 7F FF 00 01 12 EE 00 01 12 EE FF FF FF 10 4A A4 B7 00 07 63 00 10 4A A4 55 11 46 6C 69 63 6B 65 72 01 50 4C 42 59 02 10 4A A1 B9

40                       ;Response Data Length
FD                       ;
E3                       ;Tier Type
61 00                    ;
01 01                    ;System ID = Dish Network
30                       ;IRD Status Byte
01 12 EE                 ;LO PPV ID = 70382
10 4C                    ;Rights Date = Jun / 4 / 2003
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
10 4C                    ;Expire Date = Jun / 4 / 2003
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 01 12 EE              ;HI PPV ID = 70382
00 01 12 EE              ;
FF FF FF                 ;
10 4A                    ;ECM Odometer Date = Jun / 2 / 2003
A4 B7                    ;ECM Odometer Time = 23:25:34
00 07 63                 ;Event Price = $7.99
00                       ;
10 4A                    ;Buy Date = Jun / 2 / 2003
A4 55                    ;Buy Time = 23:22:18
11                       ;PPV Data Length
46 6C 69 63 6B 65 72 01  ; Flicker.
50 4C 42 59              ; PLBY
02                       ;
10 4A                    ;Event Start Date = Jun / 2 / 2003
A1 B9                    ;Event Start Time = 23:00:02


44 FD E3 61 00 01 01 30 00 B7 EA 0F 86 00 00 00 01 00 0F 86 00 00 7F FF 00 00 B7 EA 00 00 B7 EA FF FF FF 0F 85 82 23 00 07 63 00 0F 85 81 CA 15 42 6C 6F 6E 64 65 20 46 75 72 79 01 50 4C 42 59 02 0F 85 7E 91

44                       ;Response Data Length
FD                       ;
E3                       ;Tier Type
61 00                    ;
01 01                    ;System ID = Dish Network
30                       ;IRD Status Byte
00 B7 EA                 ;LO PPV ID = 47082
0F 86                    ;Rights Date = Nov / 18 / 2002
00 00                    ;Rights Time = 0:00:00
00 01                    ;Min Channel = 1
00                       ;
0F 86                    ;Expire Date = Nov / 18 / 2002
00 00                    ;Expire Time = 0:00:00
7F FF                    ;Max Channel = 32767
00 00 B7 EA              ;HI PPV ID = 47082
00 00 B7 EA              ;
FF FF FF                 ;
0F 85                    ;Buy Date = Nov / 17 / 2002
82 23                    ;Buy Time = 18:30:30
00 07 63                 ;Event Price = $7.99
00                       ;
0F 85                    ;ECM Odometer Date = Nov / 17 / 2002
81 CA                    ;ECM Odometer Time = 18:27:32
15                       ;PPV Data Length
42 6C 6F 6E 64 65 20 46  ; Blonde F
75 72 79 01 50 4C 42 59  ; ury.PLBY
02                       ;
0F 85                    ;Event Start Date = Nov / 17 / 2002
7E 91                    ;Event Start Time = 18:00:02


45 FD E2 69 00 01 01 20 01 61 76 12 22 A8 BE 00 01 00 12 22 A8 BE 7F FF 00 01 61 76 C0 00 00 00 FF FF FF 00 22 5F 00 12 1E A3 F3 2E 19 57 57 45 20 55 6E 66 6F 72 67 69 76 65 6E 01 53 50 4F 52 54 02 12 1E A5 3D

45                       ;Response Data Length
FD                       ;
E2                       ;Tier Type
69 00                    ;
01 01                    ;System ID = Dish Network
20                       ;IRD Status Byte
01 61 76                 ;LO PPV ID = 90486
12 22                    ;Rights Date = Sep / 16 / 2004
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
12 22                    ;Expire Date = Sep / 16 / 2004
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 01 61 76              ;HI PPV ID = 90486
C0 00 00 00              ;
FF FF FF                 ;
00 22 5F                 ;Event Price = $34.95
00                       ;
12 1E                    ;Buy Date = Sep / 12 / 2004
A3 F3                    ;Buy Time = 23:19:02
2E                       ;
19                       ;PPV Data Length
57 57 45 20 55 6E 66 6F  ; WWE Unfo
72 67 69 76 65 6E 01 53  ; rgiven.S
50 4F 52 54              ; PORT
02                       ;
12 1E                    ;Event Start Date = Sep / 12 / 2004
A5 3D                    ;Event Start Time = 23:30:02


46 FD E3 61 00 01 01 30 01 30 5C 10 90 A8 BE 00 01 00 10 90 A8 BE 7F FF 00 01 30 5C 00 01 30 5C FF FF FF 10 8F 0C 7B 00 03 63 00 10 8F 0C 57 17 54 68 65 79 20 28 41 6C 6C 20 44 61 79 29 01 50 50 56 02 10 8F 03 85

46                       ;Response Data Length
FD                       ;
E3                       ;Tier Type
61 00                    ;
01 01                    ;System ID = Dish Network
30                       ;IRD Status Byte
01 30 5C                 ;LO PPV ID = 77916
10 90                    ;Rights Date = Aug / 11 / 2003
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
10 90                    ;Expire Date = Aug / 11 / 2003
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 01 30 5C              ;HI PPV ID = 77916
00 01 30 5C              ;
FF FF FF                 ;
10 8F                    ;Buy Date = Aug / 10 / 2003
0C 7B                    ;Buy Time = 1:46:30
00 03 63                 ;Event Price = $3.99
00                       ;
10 8F                    ;ECM Odometer Date = Aug / 10 / 2003
0C                       ;PPV Data Length
57 17 54 68 65 79 20 28  ; W.They (
41 6C 6C 20 44 61 79 29  ; All Day)
01 50 50 56              ; .PPV
02                       ;
10 8F                    ;Event Start Date = Aug / 10 / 2003
03 85                    ;Event Start Time = 0:30:02


47 FD E2 61 00 09 01 20 00 F1 21 11 C4 00 00 00 00 00 11 C4 00 00 7F FF 00 00 F1 21 00 00 F1 21 FF FF FF 00 04 63 00 11 C2 93 0F 1C 54 68 65 20 48 61 75 6E 74 65 64 20 4D 61 6E 73 69 6F 6E 01 56 75 38 02 11 C2 93 A9

47                       ;Response Data Length
FD                       ;
E2                       ;Tier Type
61 00                    ;
09 01                    ;System ID = Bell ExpressVU
20                       ;IRD Status Byte
00 F1 21                 ;LO PPV ID = 61729
11 C4                    ;Rights Date = Jun / 14 / 2004
00 00                    ;Rights Time = 0:00:00
00 00                    ;Min Channel = 0
00                       ;
11 C4                    ;Expire Date = Jun / 14 / 2004
00 00                    ;Expire Time = 0:00:00
7F FF                    ;Max Channel = 32767
00 00 F1 21              ;HI PPV ID = 61729
00 00 F1 21              ;
FF FF FF                 ;
00 04 63                 ;Event Price = $4.99
00                       ;
11 C2                    ;Buy Date = Jun / 12 / 2004
93 0F                    ;Buy Time = 20:54:54
1C                       ;PPV Data Length
54 68 65 20 48 61 75 6E  ; The Haun
74 65 64 20 4D 61 6E 73  ; ted Mans
69 6F 6E 01 56 75 38     ; ion.Vu8
02                       ;
11 C2                    ;Event Start Date = Jun / 12 / 2004
93 A9                    ;Event Start Time = 21:00:02


48 FD E2 61 00 01 01 20 00 3F 81 11 1A A8 BE 00 01 00 11 1A A8 BE 7F FF 00 00 3F 81 00 00 3F 81 FF FF FF 00 03 63 00 11 19 15 F2 1D 4C 65 67 61 6C 6C 79 20 42 6C 6F 6E 64 65 20 32 20 28 41 6C 01 50 50 56 02 11 19 18 9D

48                       ;Response Data Length
FD                       ;
E2                       ;Tier Type
61 00                    ;
01 01                    ;System ID = Dish Network
20                       ;IRD Status Byte
00 3F 81                 ;LO PPV ID = 16257
11 1A                    ;Rights Date = Dec / 27 / 2003
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
11 1A                    ;Expire Date = Dec / 27 / 2003
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 00 3F 81              ;HI PPV ID = 16257
00 00 3F 81              ;
FF FF FF                 ;
00 03 63                 ;Event Price = $3.99
00                       ;
11 19                    ;Buy Date = Dec / 26 / 2003
15 F2                    ;Buy Time = 3:07:16
1D                       ;PPV Data Length
4C 65 67 61 6C 6C 79 20  ; Legally 
42 6C 6F 6E 64 65 20 32  ; Blonde 2
20 28 41 6C 01 50 50 56  ;  (Al.PPV
02                       ;
11 19                    ;Event Start Date = Dec / 26 / 2003
18 9D                    ;Event Start Time = 3:30:02


49 FD E3 69 00 01 01 70 01 60 D4 12 06 A8 BE 00 01 00 12 06 A8 BE 7F FF 00 01 60 D4 C0 00 00 00 FF FF FF 12 03 00 45 00 22 5F 00 12 02 A1 0D 2E 19 57 57 45 20 53 75 6D 6D 65 72 53 6C 61 6D 01 53 50 4F 52 54 02 12 02 A5 3D

49                       ;Response Data Length
FD                       ;
E3                       ;Tier Type
69 00                    ;
01 01                    ;System ID = Dish Network
70                       ;IRD Status Byte
01 60 D4                 ;LO PPV ID = 90324
12 06                    ;Rights Date = Aug / 19 / 2004
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
12 06                    ;Expire Date = Aug / 19 / 2004
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 01 60 D4              ;HI PPV ID = 90324
C0 00 00 00              ;
FF FF FF                 ;
12 03                    ;ECM Odometer Date = Aug / 16 / 2004
00 45                    ;ECM Odometer Time = 0:02:18
00 22 5F                 ;Event Price = $34.95
00                       ;
12 02                    ;Buy Date = Aug / 15 / 2004
A1 0D                    ;Buy Time = 22:54:18
2E                       ;
19                       ;PPV Data Length
57 57 45 20 53 75 6D 6D  ; WWE Summ
65 72 53 6C 61 6D 01 53  ; erSlam.S
50 4F 52 54              ; PORT
02                       ;
12 02                    ;Event Start Date = Aug / 15 / 2004
A5 3D                    ;Event Start Time = 23:30:02


4A FD E3 61 00 01 01 30 00 74 08 11 6A A8 BE 00 01 00 11 6A A8 BE 7F FF 00 00 74 08 00 00 74 08 FF FF FF 11 69 04 99 00 03 63 00 11 69 03 12 1B 53 2E 57 2E 41 2E 54 2E 20 28 41 6C 6C 20 44 61 79 29 01 50 50 56 02 11 69 03 85

4A                       ;Response Data Length
FD                       ;
E3                       ;Tier Type
61 00                    ;
01 01                    ;System ID = Dish Network
30                       ;IRD Status Byte
00 74 08                 ;LO PPV ID = 29704
11 6A                    ;Rights Date = Mar / 16 / 2004
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
11 6A                    ;Expire Date = Mar / 16 / 2004
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 00 74 08              ;HI PPV ID = 29704
00 00 74 08              ;
FF FF FF                 ;
11 69                    ;Buy Date = Mar / 15 / 2004
04 99                    ;Buy Time = 0:39:14
00 03 63                 ;Event Price = $3.99
00                       ;
11 69                    ;ECM Odometer Date = Mar / 15 / 2004
03 12                    ;ECM Odometer Time = 0:26:12
1B                       ;PPV Data Length
53 2E 57 2E 41 2E 54 2E  ; S.W.A.T.
20 28 41 6C 6C 20 44 61  ;  (All Da
79 29 01 50 50 56        ; y).PPV
02                       ;
11 69                    ;Event Start Date = Mar / 15 / 2004
03 85                    ;Event Start Time = 0:30:02


4B FD E3 61 00 01 01 30 00 88 E6 11 93 A8 BE 00 01 00 11 93 A8 BE 7F FF 00 00 88 E6 00 00 88 E6 FF FF FF 11 92 14 65 00 03 63 00 11 92 07 11 1C 47 6F 6F 64 20 42 6F 79 21 20 28 41 6C 6C 20 44 61 79 29 01 50 50 56 02 11 92 07 09

4B                       ;Response Data Length
FD                       ;
E3                       ;Tier Type
61 00                    ;
01 01                    ;System ID = Dish Network
30                       ;IRD Status Byte
00 88 E6                 ;LO PPV ID = 35046
11 93                    ;Rights Date = Apr / 26 / 2004
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
11 93                    ;Expire Date = Apr / 26 / 2004
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 00 88 E6              ;HI PPV ID = 35046
00 00 88 E6              ;
FF FF FF                 ;
11 92                    ;ECM Odometer Date = Apr / 25 / 2004
14 65                    ;ECM Odometer Time = 2:54:02
00 03 63                 ;Event Price = $3.99
00                       ;
11 92                    ;Buy Date = Apr / 25 / 2004
07 11                    ;Buy Time = 1:00:18
1C                       ;PPV Data Length
47 6F 6F 64 20 42 6F 79  ; Good Boy
21 20 28 41 6C 6C 20 44  ; ! (All D
61 79 29 01 50 50 56     ; ay).PPV
02                       ;
11 92                    ;Event Start Date = Apr / 25 / 2004
07 09                    ;Event Start Time = 1:00:02


4C FD E3 61 00 01 01 30 00 FB 7A 10 23 A8 BE 00 01 00 10 23 A8 BE 7F FF 00 00 FB 7A 00 00 FB 7A FF FF FF 10 22 7A C3 00 03 63 00 10 22 77 7B 1D 4D 79 20 42 69 67 20 46 61 74 20 47 72 65 65 6B 20 57 65 64 01 50 50 56 02 10 22 6C FD

4C                       ;Response Data Length
FD                       ;
E3                       ;Tier Type
61 00                    ;
01 01                    ;System ID = Dish Network
30                       ;IRD Status Byte
00 FB 7A                 ;LO PPV ID = 64378
10 23                    ;Rights Date = Apr / 24 / 2003
A8 BE                    ;Rights Time = 23:59:56
00 01                    ;Min Channel = 1
00                       ;
10 23                    ;Expire Date = Apr / 24 / 2003
A8 BE                    ;Expire Time = 23:59:56
7F FF                    ;Max Channel = 32767
00 00 FB 7A              ;HI PPV ID = 64378
00 00 FB 7A              ;
FF FF FF                 ;
10 22                    ;ECM Odometer Date = Apr / 23 / 2003
7A C3                    ;ECM Odometer Time = 17:27:34
00 03 63                 ;Event Price = $3.99
00                       ;
10 22                    ;Buy Date = Apr / 23 / 2003
77 7B                    ;Buy Time = 16:59:34
1D                       ;PPV Data Length
4D 79 20 42 69 67 20 46  ; My Big F
61 74 20 47 72 65 65 6B  ; at Greek
20 57 65 64 01 50 50 56  ;  Wed.PPV
02                       ;
10 22                    ;Event Start Date = Apr / 23 / 2003
6C FD                    ;Event Start Time = 15:30:02


4E FD E3 61 00 01 01 30 00 E4 00 0F EB 00 00 00 01 00 0F EB 00 00 7F FF 00 00 E4 00 00 00 E4 00 FF FF FF 0F E9 2A BF 00 0A 63 00 0F E9 29 F0 1F 4E 69 6E 65 74 65 65 6E 3A 20 50 6C 61 74 69 6E 75 6D 20 45 01 54 58 54 53 59 02 0F E9 26 AD

4E                       ;Response Data Length
FD                       ;
E3                       ;Tier Type
61 00                    ;
01 01                    ;System ID = Dish Network
30                       ;IRD Status Byte
00 E4 00                 ;LO PPV ID = 58368
0F EB                    ;Rights Date = Feb / 27 / 2003
00 00                    ;Rights Time = 0:00:00
00 01                    ;Min Channel = 1
00                       ;
0F EB                    ;Expire Date = Feb / 27 / 2003
00 00                    ;Expire Time = 0:00:00
7F FF                    ;Max Channel = 32767
00 00 E4 00              ;HI PPV ID = 58368
00 00 E4 00              ;
FF FF FF                 ;
0F E9                    ;ECM Odometer Date = Feb / 25 / 2003
2A BF                    ;ECM Odometer Time = 6:04:46
00 0A 63                 ;Event Price = $10.99
00                       ;
0F E9                    ;Buy Date = Feb / 25 / 2003
29 F0                    ;Buy Time = 5:57:52
1F                       ;PPV Data Length
4E 69 6E 65 74 65 65 6E  ; Nineteen
3A 20 50 6C 61 74 69 6E  ; : Platin
75 6D 20 45 01 54 58 54  ; um E.TXT
53 59                    ; SY
02                       ;
0F E9                    ;Event Start Date = Feb / 25 / 2003
26 AD                    ;Event Start Time = 5:30:02


4F FD E3 69 00 01 01 30 01 6A A5 0F F2 00 00 00 01 00 0F F2 00 00 7F FF 00 01 6A A5 00 01 6A A5 FF FF FF 0F EE 0E 55 00 31 5F 00 0F EB 1A EC 2E 1F 42 6F 78 69 6E 67 3A 20 4A 6F 6E 65 73 20 4A 72 2E 20 76 73 01 4F 52 44 45 52 02 0F EB 00 01

4F                       ;Response Data Length
FD                       ;
E3                       ;Tier Type
69 00                    ;
01 01                    ;System ID = Dish Network
30                       ;IRD Status Byte
01 6A A5                 ;LO PPV ID = 92837
0F F2                    ;Rights Date = Mar / 6 / 2003
00 00                    ;Rights Time = 0:00:00
00 01                    ;Min Channel = 1
00                       ;
0F F2                    ;Expire Date = Mar / 6 / 2003
00 00                    ;Expire Time = 0:00:00
7F FF                    ;Max Channel = 32767
00 01 6A A5              ;HI PPV ID = 92837
00 01 6A A5              ;
FF FF FF                 ;
0F EE                    ;ECM Odometer Date = Mar / 2 / 2003
0E 55                    ;ECM Odometer Time = 2:02:18
00 31 5F                 ;Event Price = $49.95
00                       ;
0F EB                    ;Buy Date = Feb / 27 / 2003
1A EC                    ;Buy Time = 3:49:44
2E                       ;
1F                       ;PPV Data Length
42 6F 78 69 6E 67 3A 20  ; Boxing: 
4A 6F 6E 65 73 20 4A 72  ; Jones Jr
2E 20 76 73 01 4F 52 44  ; . vs.ORD
45 52                    ; ER
02                       ;
0F EB                    ;Event Start Date = Feb / 27 / 2003
00 01                    ;Event Start Time = 0:00:02


--------------------------------------
Ready to send packet:
	00 IRD INFO 
	08 ENCRYPTED
	C8 ENCRYPTED
	02,03,88,87,80,81,86,85,84,09-0F ZERO FUNCTIONING CMDS
	84 BLACKOUT INFO
	C4 BLACKOUT INFO EXTENDED  
	05 TIER 1 
	85 TIER 2 
	85 TIER 3 
	85 TIER 4 
	85 TIER 5 
	85 TIER 6 
	85 TIER 7 
	06 PRIMARY PROVIDER INFO
	04 ASK FOR BLACKOUT 
	07 CREDIT INFO
	01 SECONDARY PROVIDER INFO

CMD 220100 IRD INFO 
21 00 09 A0 CA 00 00 03 22 01 00 39 5B

CMD 220108 ENCRYPTED
21 00 09 A0 CA 00 00 03 22 01 08 55 3F

CMD 2201C8 ENCRYPTED
21 00 09 A0 CA 00 00 03 22 01 C8 55 FF

ZERO FUNCTIONING CMDS
21 00 09 A0 CA 00 00 03 22 01 02 2F 4F
21 00 09 A0 CA 00 00 03 22 01 03 1C 7D
21 00 09 A0 CA 00 00 03 22 01 88 55 BF
21 00 09 A0 CA 00 00 03 22 01 87 20 C5
21 00 09 A0 CA 00 00 03 22 01 80 39 DB
21 00 09 A0 CA 00 00 03 22 01 81 0E ED
21 00 09 A0 CA 00 00 03 22 01 86 13 F7
21 00 09 A0 CA 00 00 03 22 01 84 44 A2
21 00 09 A0 CA 00 00 03 22 01 09 06 6D
21 00 09 A0 CA 00 00 03 22 01 0A 06 6E
21 00 09 A0 CA 00 00 03 22 01 0B 06 6F
21 00 09 A0 CA 00 00 03 22 01 0C 06 68
21 00 09 A0 CA 00 00 03 22 01 0D 06 69
21 00 09 A0 CA 00 00 03 22 01 0E 06 6A
21 00 09 A0 CA 00 00 03 22 01 0F 06 6B

CMD 220185 TIER 2-3-4-5-6-7
21 00 09 A0 CA 00 00 03 22 01 85 57 B0

CMD 2201C4 BLACKOUT INFO EXTENDED 
21 00 09 A0 CA 00 00 03 22 01 C4 ZZ

CMD 220105 TIER 1
21 00 09 A0 CA 00 00 03 22 01 05 57 30

CMD 220106 PRIMARY PROVIDER INFO
21 00 09 A0 CA 00 00 03 22 01 06 13 77

CMD 220104 ASK FOR BLACKOUT 
21 00 09 A0 CA 00 00 03 22 01 04 44 22

CMD 220107 CREDIT INFO
21 00 09 A0 CA 00 00 03 22 01 07 20 45

CMD 220101 SECONDARY PROVIDER INFO
21 00 09 A0 CA 00 00 03 22 01 01 0E 6D
--------------------------------------
#####################################################################################################
#####################################################################################################
#Cmd.26
#Rom:102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#26	  07/02	  0D/08	  A6/86	  42/00	  N2
#####################################################################################################

  21 00 08 ; A4 CA 00 00                ;None Standard header
             02                         ;Instruction length
             26                         ;Command
             00                         ;Command data length
             00                         ;Expected response length
             63                         ;Checksum

  12 00 05 ; 86                         ;Response code
             01                         ;Response data length
             00
             90 00                      ;SW1/SW2: Successful completion
             00                         ;Checksum


Ready to send packet:
21 00 0D A0 CA 00 00 07 26 05 AA AA AA AA AA 42 8A

12 00 02 6F 00 7F   			Rom 101-102-S01 command not supported

21 00 08 A4 CA 00 00 02 26 00 00 63 

12 00 05 86 01 00 90 00 00
12 00 02 6F 00 7F   			Rom 101-S01 command not supported 
#####################################################################################################
#####################################################################################################
#Cmd.27
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#27	  47	  4D	  A7	  02	  ??
#####################################################################################################

  12 00 02 ; 6F 00 7F 			;Command not supported

Ready to send packet:
21 00 4D A0 CA 00 00 47 27 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 21

12 00 02 6F 00 7F   			Rom 101-102-S01 command not supported


#####################################################################################################
#####################################################################################################
#Cmd.28
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#28	  03	  09	  A8	  1A	  ??
#####################################################################################################

  21 00 09 ; A0 CA 00 00                ;Standard header
             03                         ;Instruction length
             28                         ;Command
             00                         ;Command data length
             00 
             1A                         ;Expected response length
             73                         ;Checksum

  12 00 02 ; 6F 00 7F 			;Command not supported


Ready to send packet:
21 00 09 A0 CA 00 00 03 28 00 00 1A 73

12 00 02 6F 00 7F   			Rom 101-102-S01 command not supported
#####################################################################################################
#####################################################################################################
#Cmd.29
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#29	  02	  08	  A9	  04	  ??
#####################################################################################################

  12 00 02 ; 6F 00 7F 			;Command not supported

Ready to send packet:
21 00 08 A0 CA 00 00 02 29 00 04 6C

12 00 02 6F 00 7F   			Rom 101-102-S01 command not supported


#####################################################################################################
#####################################################################################################
#Cmd.2A
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#2A	  02	  08	  AA	  42	  N2	  MECM key request
#####################################################################################################
   Not much info is available on this CMD yet other then it is encrypted data 
being transferred to the ird.  There is speculation that it could be key related.
I do know that if CMD $C0 returns with cam status flag1 bit 7 set then the IRD will 
know to poll the cam with the $2A command.

  21 40 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             2A                         ;Command
             00                         ;Command data length
             42                         ;Expected response length
             69                         ;Checksum

  12 40 44 ; AA                         ;Response code
             40                         ;Response data length
             6A C4 1E E9 02 54 CA 4D    ;Data #0
             11 31 D0 6E 35 15 DE EF    ;Data #1
             AF 81 95 BB 3B A2 B5 2B    ;Data #2
             84 6F B6 C7 EF 3C A9 D9    ;Data #3
             4A B9 C6 95 5B E1 35 88    ;Data #4
             0F CF 0C 40 25 69 BC 80    ;Data #5
             CE F2 CF 93 B6 B6 7A 45    ;Data #6
             AD A4 15 C6 16 2F BE 26    ;Data #7
             90 00
             2A

Ready to send packet:
21 40 08 A0 CA 00 00 02 2A 00 42 69

12 40 44 AA 40 6A C4 1E E9 02 54 CA 4D 11 31 D0 6E 35 15 DE EF AF 81 95 BB 3B A2 B5 2B 84 6F B6 C7 EF 3C A9 D9 4A B9 C6 95 5B E1 35 88 0F CF 0C 40 25 69 BC 80 CE F2 CF 93 B6 B6 7A 45 AD A4 15 C6 16 2F BE 26 90 00 2A
#####################################################################################################
#####################################################################################################
#Cmd.2B
#Rom:101-102-103-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#2B	  42	  48	  AB	  02	  N2	  MECM key update
#####################################################################################################
   Not much info is available on this CMD yet other then it is encrypted data 
being transferred to the card after the CMD $2A was sent to the IRD.  There is 
speculation that it could be key related.

  21 00 48 ; A0 CA 00 00                ;Standard header
             42                         ;Instruction length
             2B                         ;Command
             40                         ;Command data length
             09 64 2B E7 C9 9C 92 36    ;Data #0
             EC A6 81 4F BF A0 70 80    ;Data #1
             C5 B1 1E D7 22 93 52 4C    ;Data #2
             B9 75 C5 A5 83 B5 A5 E6    ;Data #3
             23 A7 C5 26 A7 25 45 04    ;Data #4
             D3 FA 53 17 44 1B 9D 40    ;Data #5
             30 0E AB 84 7F 49 A9 64    ;Data #6
             04 FC 1B D7 54 6E FB 33    ;Data #7
             02                         ;Expected response length
             BF                         ;Checksum

  12 00 04 ; AB                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             2D                         ;Checksum

Ready to send packet:
21 00 48 A0 CA 00 00 42 2B 40 09 64 2B E7 C9 9C 92 36 EC A6 81 4F BF A0 70 80 C5 B1 1E D7 22 93 52 4C B9 75 C5 A5 83 B5 A5 E6 23 A7 C5 26 A7 25 45 04 D3 FA 53 17 44 1B 9D 40 30 0E AB 84 7F 49 A9 64 04 FC 1B D7 54 6E FB 33 02 BF

12 00 04 AB 00 90 00 2D
#####################################################################################################
#####################################################################################################
#Cmd.2C
#Rom:FwOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#2C	  02	  08	  AC	  42	  ??
#####################################################################################################


Ready to send packet:
21 00 08 A0 CA 00 00 02 2C 00 42 2F
12 00 02 6F 00 7F Rom101-102-S01

#####################################################################################################
#####################################################################################################
#Cmd.2D
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#2D	  42	  48	  AD	  02	  ??
#####################################################################################################

Ready to send packet:
21 00 48 A0 CA 00 00 42 2D 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 2F
12 00 02 6F 00 7F Rom101-102-S01

#####################################################################################################
#####################################################################################################
#Cmd.32
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#32	  05	  0B	  F2	  03	  N2	  Request for encryption of data to be sent in callback
#####################################################################################################

  21 00 0B ; A0 CA 00 00                ;Standard header
             05                         ;Instruction length
             32                         ;Command
             03                         ;Command data length
             09 00 05			;Key Select Byte
             03                         ;Expected response length
             7B                         ;Checksum

  12 00 05 ; F2                         ;Response code
             01                         ;Response data length
             65				;%?
             90 00                      ;SW1/SW2: Successful completion
             11                         ;Checksum
 

Ready to send packet:
21 00 0B A0 CA 00 00 05 32 03 09 00 05 03 7B 

12 00 05 F2 01 65 90 00 11

21 00 0B A0 CA 00 00 05 32 03 41 01 00 05 73

12 00 05 F2 01 65 90 00 11
#####################################################################################################
#####################################################################################################
#Cmd.33
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#33	  02	  08	  F3	  00	  N2	  Request for data encrypted by previous command $32
#####################################################################################################

  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             33                         ;Command
             00                         ;Command data length
             69                         ;Expected response length
             1B                         ;Checksum

  12 40 6B ; F3                         ;Response code
             67                         ;Response data length
             06 65
             41 00
             89 00 18 
             A4 4F 47 B2 74 76 EF 5B 
             74 86 C1 E7 A3 A4 11 AC 
             CB 37 72 2F 0B 87 2B 26 
             6F B6 5A 37 9F 0A 08 69 
             C5 E6 5E F8 54 46 AB A0              
             AA 3B 09 A7 43 53 6A AA 
             F2 AB C7 19 4F 73 1F 18 
             C4 D8 AF D8 49 05 08 2C
             03 F8 84 C7 B5 B4 F8 A5
             FA D7 77 9C BD 19 35 93 
             9C B1 61 29 9E A0 2F A6 
             32 95 5C AC 7B B7 A5 61
             90 00                      ;SW1/SW2: Successful completion
             DE                         ;Checksum

Ready to send packet:

21 00 08 A0 CA 00 00 02 33 00 6C 73

12 40 6B F3 67 06 65 41 00 89 00 18 A4 4F 47 B2 74 76 EF 5B 74 86 C1 E7 A3 A4 11 AC CB 37 72 2F 0B 87 2B 26 6F B6 5A 37 9F 0A 08 69 C5 E6 5E F8 54 46 AB A0 AA 3B 09 A7 43 53 6A AA F2 AB C7 19 4F 73 1F 18 C4 D8 AF D8 49 05 08 2C 03 F8 84 C7 B5 B4 F8 A5 FA D7 77 9C BD 19 35 93 9C B1 61 29 9E A0 2F A6 32 95 5C AC 7B B7 A5 61 90 00 DE

21 00 08 A0 CA 00 00 02 33 00 69 1B 

12 60 58 F3 67 06 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DD 






#####################################################################################################
#####################################################################################################
#Cmd.48
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#48	  02	  08	  78	  02?	  N2	  Special Entitlement Management Message Cmd48 (EMM)
#####################################################################################################
Send One valid cmd48 will bset stat2,4. IdleLoop will test it and will probaly decrypt it and indicate it

UROM:5F1E bres    STATS2, #4. Now cmd49 will be able to read Emmbuff with 80Len.

UROM:5EA5             IdleLoop:                                         ; CODE XREF: IdleTop:loc_5E9Bj
UROM:5EA5 08 63 5D                    btjt    STATS2, #4, sub_5F05      ; Jump if bit is true

Question, is-it possible to send none valid emmcmd48 and read EMMBUFF with cmd49?


  21 00 XX ; A0 CA 00 00                ;Standard header
	     83				;Always verify by "cp" Instruction length
	     48                         ;Command			
	     xx				;Command data length		
	......................
	     02
	     XX				;Checksum

	
  21 00 08 ; A0 CA 00 00                ;Standard header
	     02                         ;Instruction length
	     48                         ;Command
	     00                         ;Command data length
	     00                         ;Expected response length
	     09                         ;Checksum

  12 00 04 ; 78                         ;Response code
	     00                         ;Response data length
	     90 00                      ;SW1/SW2: Successful completion
	     FE                         ;Checksum


Ready to send packet:
21 00 08 A0 CA 00 00 02 48 00 00 09

12 00 04 78 00 90 00 FE 
12 00 02 6F 00 7F   			Rom S01 command not supported

21 00 27 A0 CA 00 00 02 48 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 26 
12 00 04 78 00 90 00 FE 



21 00 27 A0 CA 00 00 02 48 20 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 06
#####################################################################################################
#####################################################################################################
#Cmd.49
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#49	  02	  08	  79	  56?	  N2	  Read EMMBUF80(Len 80) If one valid Cmd48 was sent
#####################################################################################################
Read EMMBUF80(Len 80) If one valid Cmd48 was sent and Bset STATS2,4 and decrypted by key # and Bset STATS2,4
btjf    STATS2, #5

Get EMMPlaintext from Cmd48

  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             49                         ;Command
             00                         ;Command data length
             86                         ;Expected response length
	     8E                         ;Checksum

  12 20 58 ; 79                         ;Response code
             80                         ;Response data length
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00
             00 00 00 00 00 00
             93                         ;Checksum




21 00 A7 A0 CA 00 00 02 49 A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 86 81

21 00 88 A0 CA 00 00 02 49 80 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 86 8E
 
Ready to send packet:
21 00 08 A0 CA 00 00 02 49 00 86 8E

21 00 08 A0 CA 00 00 02 49 00 86 8E 

21 00 08 A0 CA 00 00 02 49 00 86 8E 

21 00 08 A0 CA 00 00 02 49 00 87 8F 

21 00 08 A0 CA 00 00 02 49 00 88 80

21 00 08 A0 CA 00 00 02 49 00 89 81

21 00 08 A0 CA 00 00 02 49 00 8A 82

21 00 08 A0 CA 00 00 02 49 00 00 08

21 00 08 A0 CA 00 00 02 49 00 FF F7

21 00 08 A0 CA 00 00 FF 49 00 FF 0A

12 20 58 79 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 

to get the rest send it
20 90 00 B1
20 80 00 A1

21 C1 01 FE 1F

21 00 08 A0 CA 00 00 02 49 00 86 8E 

12 00 84 79 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 FF 



#####################################################################################################
#####################################################################################################
#Cmd.4A
#Rom:102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#4A	  XX	  XX	  XX	  xx	  ??
#####################################################################################################
Similar to emmcmd48 ???? but a bit different because date move in ram 02xx?


Ready to send packet:
21 00 08 A0 CA 00 00 02 4A 00 04 0F

12 00 02 6F 00 7F   			Rom 101-102-S01 command not supported

#####################################################################################################
#####################################################################################################
#Cmd.63
#Rom:FwOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#63	  12	  18	  E3	  03	  ??
#####################################################################################################


  21 00 18 ; A0 CA 00 00                ;Standard header
             12                         ;Instruction length
             63                         ;Command
             00                         ;Command data length
             00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
             03                         ;Expected response length
             21                         ;Checksum

  12 00 02 ; 6F 00 7F 			;Command not supported

Ready to send packet:
21 00 18 A0 CA 00 00 12 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 21

12 00 02 6F 00 7F			 Rom 101-102-S01 command not supported

21 00 18 A0 CA 00 00 12 63 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 2F

12 00 02 6F 00 7F			 Rom 101-102-S01 command not supported


#####################################################################################################
#####################################################################################################
#Cmd.64
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#64	  12	  18	  E4	  03	  N2	  Write IRD info
#####################################################################################################
  The $64 command is used to write IRD-specific information to the CAM.  It
can be used to write the serial number of the IRD as well as 16 bytes of
miscellaneous data that E* uses to store the version numbers of the bootstrap
and firmware in the IRD.  The format of the $64 command is as follows:

  21 00 18 ; A0 CA 00 00                ;Standard header
             12                         ;Instruction length
             64                         ;Command
             10                         ;Command data length
             5C B3 4E 01		;Ird Reversed bytes
             31 32 42 42		;12BB ASCII bootstrap
             43 42 4E 41		;CBNA ASCII build code
             38 33 33 50		;833P ASCII ird firmware
             03                         ;Expected response length
             F3                         ;Checksum

  12 00 05 ; E4                         ;Response code
             01                         ;Response data length
             00
             90 00                      ;SW1/SW2: Successful completion
             62                         ;Checksum

more info see Cmd22 to learn how-to retreive info DT00


Ready to send packet:

21 00 18 A0 CA 00 00 12 64 10 5C B3 4E 01 31 32 42 42 43 42 4E 41 38 33 33 50 03 F3

12 00 05 E4 01 00 90 00 62	 
#####################################################################################################
#####################################################################################################
#Cmd.65
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#65	  02	  08	  E5	  52      N2      Get IRD Command from EmmCmd64
#
#####################################################################################################
	 The $65 command is a follow-up of EmmCmd$64. It allow to retreive emmbuff+10(4Flen) if emm was sent.

Dasm description:
	Read EMMBUF+10(4FLEN) DFto90 move in Iobuff 0E49 to 0DFA IF DBFLAGSH, #5 Is SET(rom102)

EMMCMD64ENCRYP will bset    DBFLAGSH, #5
And Decodeemm will not clr emmbuf if emmcmd64encrypt was done to protect encrypted data
			Clr_EMM_BUF_AND_STAT2 
			btjt    DBFLAGSH, #5, Back2IdleMain 
			call    Clr_ZP                   
			dc.b EMMBUFF
			dc.b $7B


 21 00  08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             65                         ;Command
             00                         ;Command data length
             52                         ;Expected response length
             76                         ;Checksum

  12 00 54 ; E5                         ;Response code
             50                         ;Response data length
             00 00 00 00 00 00 00 00 	;Data #0
             00 00 00 00 00 00 00 00 	;Data #1
             00 00 00 00 00 00 00 00 	;Data #2
             00 00 00 00 00 00 00 00 	;Data #3
             00 00 00 00 00 00 00 00 	;Data #4
             00 00 00 00 00 00 00 00 	;Data #5
             00 00 00 00 00 00 00 00 	;Data #6
             00 00 00 00 00 00 00 00 	;Data #7
             00 00 00 00 00 00 00 00 	;Data #8
             00 00 00 00 00 00 00 00 	;Data #9
             90 00                      ;SW1/SW2: Successful completion
             63                         ;Checksum

Ready to send packet:
21 00 08 A0 CA 00 00 02 65 00 52 76

12 00 54 E5 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 63
#####################################################################################################
#####################################################################################################
#Cmd.68
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#68	  00	  Varies  E8	  03	  N2	  Process UROM2 Data
#####################################################################################################


  21 00 08 ; A0 CA 00 00                ;Standard header
             00                         ;Instruction length
             68                         ;Command
             00                         ;Command data length
             03                         ;Expected response length
             28                         ;Checksum

  12 00 05 ; E8
             01                         ;Response data length
             00
             90 01                      ;SW1/SW2: 90 01??
             6F                         ;Checksum

Ready to send packet:

21 00 08 A0 CA 00 00 00 68 00 03 28
21 00 06 A0 CA 00 00 00 68 25

12 00 05 E8 01 00 90 01 6F
12 00 02 6F 00 7F   			Rom S01 command not supported
#####################################################################################################
#####################################################################################################
#Cmd.69
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#69	  00	  Varies  E9	  02	  N2	  Process UROM2 Data
#####################################################################################################

  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             69                         ;Command
             00                         ;Command data length
             02                         ;Expected response length
             2A                         ;Checksum

  12 00 04 ; E9                         ;Response code
             00                         ;Response data length
             90 01                      ;SW1/SW2: 90 01??
             6E	                        ;Checksum


Ready to send packet:
21 00 08 A0 CA 00 00 02 69 00 02 2A

12 00 04 E9 00 90 01 6E			Rom 101-102 command supported
12 00 02 6F 00 7F    			Rom S01 command not supported
#####################################################################################################
#####################################################################################################
#Cmd.6A
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#6A	  04	  0A	  EA	  02	  N2	  Update Provider Filter
#####################################################################################################

  21 00 0A ; A0 CA 00 00                ;Standard header
             04                         ;Instruction length
             6A                         ;Command
             00                         ;Command data length
             00 00 
             02                         ;Expected response length
             2D                         ;Checksum

  12 00 04 ; EA                         ;Response code
             00                         ;Response data length
             90 01                      ;SW1/SW2: 90 01??
             6D                         ;Checksum

Ready to send packet:
21 00 0A A0 CA 00 00 04 6A 00 00 00 02 2D
21 00 0A A0 CA 00 00 04 6A 02 00 00 02 2F
 
12 00 04 EA 00 90 01 6D			Rom 101-102 command supported
12 00 02 6F 00 7F    			Rom S01 command not supported
#####################################################################################################
#####################################################################################################
#Cmd.6B
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#6B	  07	  0D	  EB	  02	  N2	  Update and play with DecryptKey no 7A and Provider Filter
#####################################################################################################

  21 00 0D ; A0 CA 00 00                ;Standard header
             07                         ;Instruction length
             6B                         ;Command
             05                         ;Command data length
             00
	     00 00 00 00		;Key compare
             02                         ;Expected response length
             2D                         ;Checksum

  12 00 04 ; EB                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             6D                         ;Checksum

Ready to send packet:
21 00 0D A0 CA 00 00 07 6B 05 00 00 00 00 00 02 2D

12 00 04 EB 00 90 00 6D			Rom 101-102 command supported 
12 00 02 6F 00 7F   			Rom S01 command not supported 
#####################################################################################################
#####################################################################################################
#Cmd.6C
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#6C	  03	  09	  EC	  02	  N2	  Update Provider Filter
#####################################################################################################

  21 00 09 ; A0 CA 00 00                ;Standard header
             03                         ;Instruction length
             6C                         ;Command
             01                         ;Command data length
             00
             02                         ;Expected response length
             2E                         ;Checksum

  12 00 04 ; EC                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             6A                         ;Checksum

Ready to send packet:
21 00 09 A0 CA 00 00 03 6C 01 00 02 2E

12 00 04 EC 00 90 00 6A 		Rom 101-102 command supported 
12 00 02 6F 00 7F   			Rom S01 command not supported 
#####################################################################################################
#####################################################################################################
#Cmd.6D
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#6D	  02	  02	  ED	  04	  N2	  Update or Create DecryptKeyno24
#####################################################################################################

  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             6D                         ;Command
             00                         ;Command data length
             00                         ;Expected response length
             2C                         ;Checksum 

  12 40 04 ; ED                         ;Response code
             00                         ;Response data length
             90 01                      ;SW1/SW2: ??
             2A                         ;Checksum

Ready to send packet:
21 00 08 A0 CA 00 00 02 6D 00 00 2C 

12 40 04 ED 00 90 01 2A
#####################################################################################################
#####################################################################################################
#Cmd.6E
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#6E	  00	  Varies  EE	  04      ??
#####################################################################################################

  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             6E                         ;Command
             00                         ;Command data length
             04                         ;Expected response length
             2B                         ;Checksum

  12 00 02 ; 6F 00 7F 			;Command not supported

Ready to send packet:
21 00 08 A0 CA 00 00 02 6E 00 04 2B
12 00 02 6F 00 7F   			Rom 101-102-S01 command not supported


#####################################################################################################
#####################################################################################################
#Cmd.C0
#Rom:2-3-10-11-101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#C0	  02	  08	  B0	  06	  N1/N2   CAM status request
#####################################################################################################
 NEED MEDIUM UPDATE

 This command returns 4 bytes of CAM status bits. Some are completion codes
for the last command sent, some are to signal that the CAM has finished
processing the last command (as in the $03), some indicate that the CAM has
been updated by an EMM ($00) and the IRD should poll for the new info.  A
detailed breakdown of the bits I understand follows the example:


  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             C0                         ;Command
             00                         ;Command data length
             06                         ;Expected response length
             87                         ;Checksum

  12 00 08 ; B0                         ;Response code
             04                         ;Response data length
             08                         ;Response byte 1
             00                         ;CAM status flags 1
             00                         ;CAM status flags 2
             16                         ;CAM status flags 3
             90 00                      ;SW1/SW2: Successful completion
             20                         ;Checksum

  Bit-by-bit breakdown of CAM status flags bytes:

  Bit  Flags 1                Flags 2                Flags 3
  ---  ---------------------  ---------------------  ------------------------
   0   CAM suggests $C1 cmd   CAM suggests $02 cmd   Cmd $03 in progress
   1   CAM has been reset     Cmd 00/01 received     Encrypted ECM data ready
   2   CAM suggests $31 cmd   Cmd 00/01 complete     Cleartext ECM data ready
   3   CAM suggests $30 cmd   Cmd $30 in progress    ECM decrypt failed
   4                          Cmd $31 data ready
   5                          Cmd $60 allowed        Cmd $02 in progress
   6                                                 Cmd $02 complete
   7                                                 Cmd $02 failed

  The following list details the bit definitions in plain english:

  Bit  Flags 1                 Flags 2                 Flags 3
  ---  ---------------------   ---------------------   -----------------------
   0   Database updated        CAM requests MECM data  ECM being processed
   1   CAM has been reset      EMM being processed     Even control word ready
   2   Memory full             EMM processing done     Odd control word ready
   3   Credit low              CC being processed      ECM decrypt failed
   4                           CC processing done                         
   5                           IRD command waiting     MECM being processed
   6                                                   MECM data ready
   7   CAM tamper detected                             MECM decrypt failed

  Notes: CC="Callback", flags 1 bit 4 and flags 2 bits 6+7 not supported by
current EchoStar IRDs.
         CAM tamper detected: This bit is only present in ROM3 cards, and it
is only ever set by EMM F3 commands that check for other flags set in OTP
memory.  At present, only location E010 is used to contain those flags, but
in theory, any location from E010 to E01F could be used.  The EMM F3 commands
that set flags in OTP memory do so based on sanity checks of the card's EEPROM
data, checking such things as the CAM ID, making sure that no data is present
in the portion of code space set aside for bug-catchers, but which has not
been specifically used by "official" bug-catchers, and so on.

Ready to send packet:
21 00 08 A0 CA 00 00 02 C0 00 06 87

12 00 08 B0 04 00 03 00 00 90 00 3D

#####################################################################################################
#####################################################################################################
#Cmd.C4
#Rom:101-102
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#C4	  00	  Varies  B4	  02	  N2	  Special Entitlement Management Message Cmd48 (EMM)
#####################################################################################################

KeySelect=
	IOBUFFER+9
	IOBUFFER+A
	IOBUFFER+B
need update
  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             C4                         ;Command
             00                         ;Command data length
             02                         ;Expected response length
             87                         ;Checksum

  12 00 04 ; B4                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             32                         ;Checksum

Ready to send packet:
21 00 08 A0 CA 00 00 02 C4 00 02 87

21 00 06 A0 CA 00 00 01 C4 88 
RX Data : 12 00 04 B4 00 90 00 32 

Error Receiving Response		Rom 101 command crashed??!!!
12 00 04 B4 00 90 00 32 		Rom 102 command supported
12 00 02 6F 00 7F   			Rom S01 command not supported

#####################################################################################################
#####################################################################################################
#Cmd.C7
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#C7	  02	  08	  B7	  04	  N2	  Request for ID of updated data items
#####################################################################################################
   This command queries the CAM as to the existence of data items that have
changed since they were last polled.  The return data is a bit mapped field,
with each bit representing whether or not a particular type of data has
changed since the last check.  When the CAM first powers up, it will respond
to this command with $FF FF in the return so that the IRD will request all
available data.  An example of the $C7 command is as follows:  

  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             C7                         ;Command
             00                         ;Command data length
             04                         ;Expected response length
             82                         ;Checksum

  12 00 06 ; B7                         ;Response code
             02                         ;Response data length
             FF                         ;Response data byte 1 
             FF                         ;Response data byte 2
             90 00                      ;SW1/SW2: Successful completion
             31                         ;Checksum
Format for response data bytes:


  Bit #   Data byte 1              	   Data byte 2
  -----   -------------------------	   -------------------------
    7     Data type $07 has changed	   Data type $0F has changed
    6     Data type $06 has changed	   Data type $0E has changed
    5     Data type $05 has changed	   Data type $0D has changed
    4     Data type $04 has changed	   Data type $0C has changed
    3     Data type $03 has changed	   Data type $0B has changed
    2     Data type $02 has changed	   Data type $0A has changed
    1     Data type $01 has changed	   Data type $09 has changed
    0     Data type $00 has changed	   Data type $08 has changed   

Ready to send packet:
21 00 08 A0 CA 00 00 02 C7 00 04 82

12 00 06 B7 02 FF FF 90 00 31 
#####################################################################################################
#####################################################################################################
#Cmd.C8
#Rom:101-102-S01
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#C8	  02	  08	  B8	  06	  N2	  Request for date/time
#####################################################################################################


  21 00 08 ; A0 CA 00 00                ;Standard header
             02                         ;Instruction length
             C8                         ;Command
             00                         ;Command data length
             06                         ;Expected response length
             8F                         ;Checksum

  12 00 08 ; B8                         ;Response code
             04                         ;Response data length
             12 72			;Date
             86 0C      		;Time
             90 00                      ;SW1/SW2: Successful completion
             DC                         ;Checksum

Date
Date: Number of days from 01/01/1992
00 00 = 1/1/92 


Time
Number of seconds from the beginning of the day times 2
00 00 = 12:00:00 AM

1 hour = 3600 seconds / 2 = 1800 = 708 (hex)
1 minute = 60 seconds / 2 = 30 = 1E (hex)


How date and time work?

Date: Number of days from 01/01/1992
Hour: Total number of seconds from the beginning of the day times 2
Thanks to Ferchito 

Ready to send packet:
21 00 08 A0 CA 00 00 02 C8 00 06 8F 

12 00 08 B8 04 12 72 86 0C 90 00 DC 
#####################################################################################################
#####################################################################################################
#Cmd.C9
#Rom:FWOnly
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#C9	  00	  Varies  B9	  04	  ??
#####################################################################################################



21 00 08 A0 CA 00 00 00 C9 00 04 8E
12 00 02 6F 00 7F   			Rom 101-102-S01 command not supported

21 00 06 A0 CA 00 00 01 C9 85

#####################################################################################################
#####################################################################################################
#Cmd.Command request
#Rom:
#		Data					RSP	 Cmd
#CMD #   Length  Length  RSP #   Length  Type	Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#
#####################################################################################################

Command request

Command 0xC0 : Resync request						21C000E1 pcb=11000000	12E000F2	jreq    RESYNC	
command 0xC1 : IFS field size change					21C1016485 pcb=11000001	12E1016496	jreq    IFSREQ
Command 0xE1 : response to an IFS request				21E100C0 pcb=11100000	12820090	GOERROROTHER
Command 0xC2 : An ABORT?						21C200E3		12E200F0	jreq    RESYNC
Command 0xE3 : WTX response						21E300C2		12820090	GOERROROTHER
Command 0xE4 : Resync response						21E400C5		12820090	GOERROROTHER

Chained msg to get the rest						219200B3 pcb=92= 10010010 	


#####################################################################################################
#####################################################################################################
#section3.2: EMM command breakdown
#
#####################################################################################################
index
     3.2.01: EMM command $01	Set up for EMM commands
     3.2.10: EMM command $10	Spending limit item create
     3.2.12: EMM command $12	Create subscription tier
     3.2.13: EMM command $13	PPV Service
     3.2.20: EMM command $20	Modify subscription dates
     3.2.46: EMM command $46	Create and update Dt08 ItemId0A
     3.2.47: EMM command $47	DT06 key update for key no 30 (CMD48)
     3.2.48: EMM command $48	Create and update Dt08 ItemId0A
     3.2.49: EMM command $49	Create and update Dt08 ItemId0A
     3.2.42: EMM command $42	DT06 key update
     3.2.4F: EMM command $4F	CW Extra encryption
     3.2.54: EMM command $54	Update blackout bytes
     3.2.81: EMM command $81	Master program provider activation
     3.2.83: EMM command $83	Change EMM system ID
     3.2.64: EMM command $64	Encrypt IRD command
     3.2.90: EMM command $90	Create ItemID0B
     3.2.85: EMM command $85	Create ItemID04
     3.2.9F: EMM command $9F	EmmHeader for nextemmcmd by Cmp UpstatMsb:Lsb
     3.2.A1: EMM command $A1-AF Emm Filter by CamId
     3.2.B1: EMM command $B1	Execute code from RAM
       3.2.B1.0801 List: Emm Command $B1 List of packet 41 42 43 44 45 46 47
     3.2.C4: EMM command $C4	EmmCmdXX with Extra encryption Layer
     3.2.C5: EMM command $C5	WriteEEp at 311E and 311F and Update Date_Copy
     3.2.E0: EMM command $E0	ItemID Update
     3.2.E3: EMM command $E3	Write eeprom
       3.2.E3: EMM command $E3   Write eeprom, Sub section all EmmcmdE3 packet for Rom102Rev241 to Rom102Rev242
	3.2.E3: EMM Command $E3   write eeprom,	Sub Section Understand EmmcmdE3 by dasm

####################################################################################################
####################################################################################################
#EMMHeader
#
####################################################################################################
All Emmpacket Contain this header with other 

Start at Emmbuff80 to Emmbuff91

		09 01				;Emmbuff80Start, Provider
		13 E5 63 3D			;Date
		EC C9				;##??
		09 01				;Provider
		13 E2 8F 68			;Date Valid EMMBUFF8A
		13 E9 00 00			;Date


#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.01: EMM command $01	Set up for EMM commands
#####################################################################################################

Syntaxe : 01
length : 01


#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.10: EMM command $10	Spending limit item create
#####################################################################################################
Syntaxe : 10 XX XX XX XX XX XX
10 14 XX 8D 5C 09 01 01 FF FF FF 14 11 A8 BE 00 00 00 00
Something like this
Desc: IF date NotSame Go Create


#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.12: EMM command $12	Create subscription tier
#####################################################################################################
Syntaxe : 12 XX XX XX XX XX XX
12 EmmCmd
XX XX Begin Date ?
XX XX Expire Date ?
XX XX Rights ID
Desc : This Emmcmd will create Tier Datatype


#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.13: EMM command $13	PPV Service
#####################################################################################################
Syntaxe : 13 XX XX XX XX XX XX .....
13 Emcmd
XX XX Begin Date
XX XX Expire Date
XX XX Rights ID
XXXXXX Ascii Data



#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.20: EMM command $20	Modify subscription dates
#####################################################################################################
Syntaxe : 
  20    ;EMM command
  03 03 33
  00 27 28   ;Rights ID
  13 E5 00 00   ;Date to compare to mod date
  13 E9 A8 BE   ;Date factor for ?
  13 E9 A8 BE   ;Date factor for ?

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.46: EMM command $46	Create and update Dt08 ItemId0A
#####################################################################################################
Syntaxe : 46>F3 0E 08 FF FF 49 Data

DESC : IF NotFound Go Create
       IF Date NotSame Go Create 

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.42: EMM command $42	DT06 key update
#####################################################################################################
Syntaxe :
42 00 10 06 08 00 10 10 F2 6F 9D 76 A8 03 DF C7 71 B1 BD F2 EA A1 D1 00
42 Emmcmd
00
10
06 Key##
08
00
10 Length
10 F2 6F 9D 76 A8 03 DF C7 71 B1 BD F2 EA A1 D1 00
Desc : Update Decrypt Key XX


#####################################################################################################
#####################################################################################################
#section
#     3.2.47: EMM command $47	DT06 key update for key no 30 (CMD48)
#####################################################################################################

Syntaxe : 47 X1 X2 30 X4 X5 Length <N Bytes>
42 00 10 06 08 00 10 10 F2 6F 9D 76 A8 03 DF C7 71 B1 BD F2 EA A1 D1 00
Desc : 
42 Emmcmd
00
10
06 Key##
08
00
10 Length
10 F2 6F 9D 76 A8 03 DF C7 71 B1 BD F2 EA A1 D1 00
Desc : Init key no30 and go in Emmcmd42 Process
Basic Decrypt Key Update for Cmd48
#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.48: EMM command $48	Create and update Dt08 ItemId0A(trap2)
#####################################################################################################
Syntaxe : 46>F3 0E 08 FF FF 49 Data

DESC : IF NotFound Go Create
       IF Date NotSame Go Create 
#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.49: EMM command $49	Create and update Dt08 ItemId0A(trap2)
#####################################################################################################
Syntaxe : 46>F3 0E 08 FF FF 49 Data

DESC : IF NotFound Go Create
       IF Date NotSame Go Create 

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.4F: EMM command $4F	CW Extra encryption
#####################################################################################################

Syntaxe : 4F XX XX XX XX  XX XX XX XX  XX XX XX XX  XX XX XX XX  XX XX
Desc : Extra layer for 
8C5B             Decode_CW_ExtraLayer_Emmcmd4F

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.54: EMM command $54	Update blackout bytes
#####################################################################################################
Update packet is include in EmmcmdAXCamidFilter if valid nextemmcmd will execute other like 54.
Syntaxe : 54 XX XX

  This EMM command updates the blackout information in the ItemId $05 data item
whose system ID high matches the EMM's system ID high.  This command is
formatted as follows:

             54                              ;EMM command
             03                              ;Blackout byte to update
             04                              ;New blackout byte

  In the above example, byte 3 of the blackout data in the ItemID $05 data item
whose system ID high matches the system ID high of the EMM will be updated to
be $04.  Note that the "blackout byte to update" must be less than $1F, since
there are only  blackout 31 bytes stored in the type $04 data item.
  This is a fixed-length EMM command with a length of $03.

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.81: EMM command $81	Master program provider activation
#####################################################################################################
Syntaxe : 81 XX XX XX XX XX XX
Desc : Update ProviderInfo Item05 with Camid
update SystemType Item02
Fixed length 07

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.83: EMM command $83	Change EMM system ID
#####################################################################################################
Syntaxe : 83 08 01
Desc : Basic update to Emm system ID
Fixed length 03

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.64: EMM command $64	Encrypt IRD command
#####################################################################################################
  This command allows a command to be encrypted to be sent back to the IRD
for processing.  The IRD commands include such things as "force callback",
"unlock and reset password", "modify EEPROM", etc.  It is formatted as
follows:

Syntaxe : 64 XX XX XX XX XX XX XX and more
             64                              ;EMM command
             xx                              ;Length of IRD command
             xx xx xx xx xx xx xx xx         ;IRD command

  The CAM will first compute an LRC for all of the bytes in the IRD command,
including the EMM command byte and the length byte and store that LRC in the
byte immediately following the IRD command.  The CAM will then pad the command
to a total length of $40 bytes with random data.  After all this, the CAM will
IDEA encrypt the entire EMM buffer using the IRD key, and set the "IRD command
waiting" bit in status byte ? (returned by command $C0).

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.90: EMM command $90	Create ItemId0B
#####################################################################################################

Syntaxe : 90 XX XX XX XX
Desc : unknow
Fixed length 05

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.9F: EMM command $9F	EmmHeader for nextemmcmd by Cmp UpstatMsb:Lsb
#####################################################################################################
Syntaxe : 9F 09 UU UU uu uu
Desc : UpstatMsb:Lsb cmp with UU UU and UpstatMsb:Lsb cmp with uu uu if greater then NextEmmcmd.
Usefull to target mimimum Upstat Revision Rom.
Fixed length 6


#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.85: EMM command $85	Create ItemId04
#####################################################################################################
Syntaxe : 85 DE XX XX XX XX XX XX XX XX
          85 XX
Desc : Create ItemId04
length = Emmbuff13+2

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.A1: EMM command $A1-AF Emm Filter by CamId
#####################################################################################################
Description : CamId Filter...Clearemm or nextemmcmd in the same packet

Syntaxe : AX CC CC CC CC XX XX
CC=CAMID 
AX			;Emmcmd
CC CC CC CC		;Camid Filter
length for nextemmcmd is = A Should contain (5 or 6) or (1F or 20)
 -------------------------------------------------------------
|Camid Location in EmmAX Table	compare with|
|A1 x =				30 D8 dc.w CAMID
|A2 x =				30 D8 dc.w CAMID
|A3 x =				30 D8 dc.w CAMID
|A4 x = 94			30 D8 dc.w CAMID or ItemId05,9
|A5 x =				30 D8 dc.w CAMID
|A6 x =				30 D8 dc.w CAMID
|A7 x =				30 D8 dc.w CAMID
|A8 x = 93			30 D8 dc.w CAMID or ItemId05,9
|A9 x =				30 D8 dc.w CAMID
|AA x =				30 D8 dc.w CAMID
|AB x =				30 D8 dc.w CAMID
|AC x = 94			30 D8 dc.w CAMID or ItemId05,9
|AD x =				30 D8 dc.w CAMID
|AE x =				30 D8 dc.w CAMID
|AF x =				30 D8 dc.w CAMID
 -------------------------------------------------------------
Example
A3 1A 98 3C 20 00 DF 3D 7F FF F7 FF FF FF FF FF FF 7F FF FF
F7 FF BF FB F7 BF BF DF FF F8 BF FF 7F FF FE FF
BE DF 20 03 00 03 FF FF FF 00 00 00 00 00 00 A8
BE 14 23 A8 BE

Example
A3 1A 98 3C 08 03 04 00 00 00 00 04 80 00 20 03 00 03 00 1F
7E 00 00 00 00 00 00 A8 BE 14 06 A8 BE







#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.E0: EMM command $E0	ItemID Update
#####################################################################################################
E0 1F A1 07 08 E0 E3 17 F8 10 00 27 1A 05 09 00 00 0B 80 00 0A 7F FF 18 00 00 27 1A 19 00 00 27 27
Desc : play with pSW.Seg
include in emmcmd20
length : emmbuff13(length) + 2




Emm Header
	09 01 13 E5 63 8E 63 93 09 01 13 E2 8F 68 13 E9 00 00 

Emmcmd20
	20 03 03 33 00 27 1A 13 E5 00 00 13 E9 A8 BE 13 E9 A8 BE 

EmmcmdE0
	E0 1F A1 07 08 E0 E3 17 F8 10 00 27 1A 05 09 00 00 0B 80 00 0A 7F FF 18 00 00 27 1A 19 00 00 27 27
	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7B 11 D0 15 77 02

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.B1: EMM command $B1	Execute code from RAM
#####################################################################################################
Desc : Ram Execution  at Emmbuff13
length : maximum emmpacket size for rom102 768bits?

EmmcmdE3 Created by b1
#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.B1.0801 List: Emm Command $B1 List of packet 41 42 43 44 45 46 47
#####################################################################################################
EmmcmdB1 Upstat List
	0041 otp mark at 0x3050 with camId from 0x30D8
	0042 Update 8182 3C Len and prepare 81B0 for him and other (43-44-45-46) Upstat update
	0043 Update 8146 3C Len
	0044 Update 810A 3C Len
	0045 Update 80D5 35 Len
	0046 Update bugtable for 9599 80D5
	0047 Update otp mark 3058 305E Update 30E2(for UPDT_STATUS_RESP in Command15)


EmmcmdE3 Upstat List
	0048
	0049
	004A
	004B
	004C
	004D
	004E
	004F
	0050
	0051
	0052
	0053
	0054
	0055	last packet of Rev241
	0056	first packet of Rev242
	3FFF
	4000 ...TO 402A


List with Dasm
#######################################################################################################
21 00 6D A0 CA 00 00 67 04 65 08 01 82 00 90 9B 91 4C 12 D8 8A 25 0D 6A C3 06 8C 06 2C 69 A2 79 43 36 6E 30 75 59 2B FC 8C 93 F4 31 22 17 B3 57 31 33 CB 49 CE 05 68 20 D2 76 43 21 D3 BA 59 9A CA 89 19 0E FF DE 9C 79 EA 21 BA 72 E4 AA 9E 87 CB 45 81 A7 01 4B 05 BC EB AC 38 06 DF 36 91 D8 37 B8 4F 24 98 4B ED 3C CF 45 72 91 7A 26 48 02 C5 
<-->
12 00 04 84 00 90 00 02 
<-->
Sending Command
<-->
<-----------> Cmd 15                         -->  00:25:43
<-->
21 40 07 A0 BB 00 00 02 15 00 6A 
<-->
12 20 A0 30 DD 00 00 02 15 00 08 01 08 01 14 08 A3 F9 00 90 08 01 13 31 A1 B6 14 9E A1 B6 B1 CD 7B B5 00 41 CD 79 D8 01 E0 07 00 25 3D CD 57 00 30 D8 AE E1 A6 04 CD 5B BC 3F E6 AE 04 90 AE 08 E6 E1 46 25 02 3C E6 90 5A 26 F7 5A 2A EF CD 57 00 30 50 AE E1 A6 06 14 64 38 6B CD 6D E0 4F C7 03 DD A6 42 C7 03 DE CD 7C FF 81 00 7A 26 48 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B1

0093: CD 7B B5     jsr UpstatCmpEmmB1   ; get2parms for compare
0096: .db 00                            ; 30E8 Upstat Msb
0097: .db 41                            ; 30E9 Upstat Lsb

0098: CD 79 D8     jsr GetFirstMatchingItem; in: 4 emb. parms
009B: .db 01                            ; mapped ItemID
009C: .db E0                            ; dest
009D: .db 07                            ; count
009E: .db 00                            ; bitfield4compare Outc=1 if not found

009F: 25 3D        bcs $DE              ; Branch if C=1
00A1: CD 57 00     jsr Get2ParmStroreRC1; Get 2 parms and store them at RC1
00A4: .dw 30 D8                         ; RC1H:L

00A6: AE E1        ldx #$E1             ; Load in X
00A8: A6 04        lda #$04             ; Load in A
00AA: CD 5B BC     jsr Move_A_RC1_to_X  ; Move A bytes of memory pointed to by RC1ADDRH:L to ZP starting at X

00AD: 3F E6        clr GetDataItemBuff_E6; <-- 0
00AF: AE 04        ldx #$04             ; Load in X
00B1: 90 AE 08     ldy #$08                ; Load in y
00B4: E6 E1        lda $E1, X           ; Load in A
00B6: 46           rora                 ; a >> 1 (Circular)
00B7: 25 02        bcs $BB              ; Branch if C=1
00B9: 3C E6        inc GetDataItemBuff_E6; +=1
00BB: 90 5A        decy                    ; y--
00BD: 26 F7        bne $B6              ; Branch if <>
00BF: 5A           decx                 ; x--
00C0: 2A EF        bpl $B1              ; Branch if >0
00C2: CD 57 00     jsr Get2ParmStroreRC1; Get 2 parms and store them at RC1
00C5: .dw 30 50                         ; RC1H:L

00C7: AE E1        ldx #$E1             ; Load in X
00C9: A6 06        lda #$06             ; Load in A
00CB: 14 64        bset2 STATS5         ; Bit 2 <-- 1
00CD: 38 6B        lsl EEWRITEOKBITS    ; << 1
00CF: CD 6D E0     jsr WriteRowEE_AfromXtoRC1; [A=len->EEBytesToWrite][X=src->EESrcPtr][RC1=dest-> EDestPtr]

00D2: 4F           clra                 ; a <-- 0
00D3: C7 03 DD     sta UpstatMsb_Tmp    ; Store A in...
00D6: A6 42        lda #$42             ; Load in A
00D8: C7 03 DE     sta UpstatLsb_Tmp    ; Store A in...
00DB: CD 7C FF     jsr Update_Upstat_From_UpstatMsb_Tmp; Update from UpstatMsbTmp at 03DD 30DE

00DE: 81           rts                  ; Return from subroutine

 BYTES DUMP:
---------------------
00DF: 00 7A 26 48 02 



#######################################################################################################
21 40 6D A0 CA 00 00 67 04 65 08 01 82 00 10 4C EB 6E 92 3A D0 D4 EE AD BB 1E 90 DB 51 B0 53 AE 14 32 AC 56 14 9B 70 92 EC 3B D6 FF 2D B1 76 62 63 9C 83 9D 99 80 55 96 30 86 74 C2 18 B4 22 DD C7 C0 38 6E 8B 77 6B E6 C5 EE 7A D2 F4 FB D0 E9 46 DB 5A 55 78 C8 7A AC 10 A9 59 5F 2F 16 91 48 C2 36 08 29 49 F3 1F C1 3B 5F E5 5F 43 32 8E 02 2C 
<-->
12 00 04 84 00 90 00 02 
<-->
Sending Command
<-->
<-----------> Cmd 15                         -->  22:29:04
<-->
21 40 07 A0 BB 00 00 02 15 00 6A 
<-->
12 20 A0 30 DD 00 00 02 15 00 08 01 14 00 73 29 B0 0D 08 01 13 31 A1 B6 14 9E A1 B6 B1 CD 7B B5 00 42 CD 7C 16 81 82 A4 3C 8D 80 81 B0 81 CE 88 CA AF B3 93 26 11 BE 94 B3 95 26 04 A3 FE 27 07 C3 03 DD 26 02 B1 95 81 C6 03 DE AB 01 C7 03 DE C6 03 DD A9 00 C7 03 DD CD 7C FF 87 C6 30 E8 C7 03 DD C6 30 E9 C7 03 DE 20 E1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 


0093: CD 7B B5     jsr UpstatCmpEmmB1   ; get2parms for compare
0096: .db 00                            ; 30E8 Upstat Msb
0097: .db 42                            ; 30E9 Upstat Lsb

0098: CD 7C 16     jsr Jmp_WriteRowEE_AfromXtoRC1_init; Copy 4N byte
009B: .dw 81 82                         ; DST
009D: .db A4                            ; SRC
009E: .db 3C                            ; LEN

009F: 8D           ecall 80 81 B0       ; Call $page $add

 BYTES DUMP:
---------------------
00A3: 81 CE 88 CA AF B3 
00A9: 93 26 11 BE 94 B3 95 26 
00B1: 04 A3 FE 27 07 C3 03 DD 
00B9: 26 02 B1 95 81 C6 03 DE 
00C1: AB 01 C7 03 DE C6 03 DD 
00C9: A9 00 C7 03 DD CD 7C FF 
00D1: 87 C6 30 E8 C7 03 DD C6 
00D9: 30 E9 C7 03 DE 20 E1 

###################################################
81B0 Patch Module DASM
load Upstat,w + #$01 and write it
Utility for next emm 

819F: AB 01        add #$01             ; A=A + ...
81A1: C7 03 DE     sta UpstatLsb_Tmp    ; Store A in...
81A4: C6 03 DD     lda UpstatMsb_Tmp    ; Load in A
81A7: A9 00        adc #$00             ; A=A + ... (with carry)
81A9: C7 03 DD     sta UpstatMsb_Tmp    ; Store A in...
81AC: CD 7C FF     jsr Update_Upstat_From_UpstatMsb_Tmp; Update from UpstatMsbTmp at 03DD 30DE

81AF: 87           eret                 ; eret

81B0: C6 30 E8     lda UpstatMsb        ; Load in A
81B3: C7 03 DD     sta UpstatMsb_Tmp    ; Store A in...
81B6: C6 30 E9     lda UpstatLsb        ; Load in A
81B9: C7 03 DE     sta UpstatLsb_Tmp    ; Store A in...
81BC: 20 E1        bra $819F            ; Branch always
####################################################
####################################################################################################################

21 00 6D A0 CA 00 00 67 04 65 08 01 82 00 10 95 AE B0 15 3B 53 9C 17 36 C9 8A 67 45 39 76 64 B6 D1 75 45 49 44 49 45 80 D3 D5 B1 A7 0A AA 4C 14 69 A5 46 02 36 82 24 7A 40 86 65 78 8D 16 A4 17 06 05 DC 27 47 FB 81 88 2E FF DF F4 CC 1C 49 0D DB 4C D7 57 D0 D4 14 70 67 92 64 3B 4C 8C 8B 43 27 9F B9 CD C0 6A 49 46 1C 25 AF 35 8D 82 26 02 02 
<-->
12 00 04 84 00 90 00 02 
<-->
Sending Command
<-->
<-----------> Cmd 15                         -->  22:29:13
<-->
21 40 07 A0 BB 00 00 02 15 00 6A 
<-->
12 20 A0 30 DD 00 00 02 15 00 08 01 14 00 73 B5 2C 49 08 01 13 31 A1 B6 14 9E A1 B6 B1 CD 7B B5 00 43 CD 7C 16 81 46 A4 3C 8D 80 81 B0 81 47 E6 94 B7 48 B6 24 38 6B CD 70 A6 84 20 BA A1 04 26 DD E6 93 C7 03 DD E6 94 C7 03 DE A6 03 20 A8 8D 80 81 9C 84 8D 00 A9 C7 00 95 69 CE 30 E8 C6 30 E9 CF 03 DD C7 03 DE AC 71 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EC

0093: CD 7B B5     jsr UpstatCmpEmmB1   ; get2parms for compare
0096: .db 00                            ; 30E8 Upstat Msb
0097: .db 43                            ; 30E9 Upstat Lsb

0098: CD 7C 16     jsr Jmp_WriteRowEE_AfromXtoRC1_init; Copy 4N byte
009B: .dw 81 46                         ; DST
009D: .db A4                            ; SRC
009E: .db 3C                            ; LEN

009F: 8D           ecall 80 81 B0       ; Call $page $add


 BYTES DUMP:
---------------------
00A3: 81 47 E6 94 B7 48 
00A9: B6 24 38 6B CD 70 A6 84 
00B1: 20 BA A1 04 26 DD E6 93 
00B9: C7 03 DD E6 94 C7 03 DE 
00C1: A6 03 20 A8 8D 80 81 9C 
00C9: 84 8D 00 A9 C7 00 95 69 
00D1: CE 30 E8 C6 30 E9 CF 03  
####################################################################################################################

21 00 6D A0 CA 00 00 67 04 65 08 01 82 00 10 93 9B FD 89 03 AA 52 45 25 07 A4 5E 0A 30 CB 97 8C C2 91 5D 1D 30 4E 0E 0E E6 60 FD 3C 03 7E 8A 52 FB EC 18 0B C3 0C 4D AF 77 D4 04 06 ED FC 59 5B 52 1B 7F 0E 36 64 5A 29 AA 3A 54 29 56 02 2A 6E 5C 82 CB B5 FD 95 0F 47 DC E5 3C 92 3D 53 29 D1 91 1B E4 19 D5 69 5B 50 18 05 AE 32 86 46 0B 02 B2 
<-->
12 00 04 84 00 90 00 02 
<-->
Sending Command
<-->
<-----------> Cmd 15                         -->  22:29:22
<-->
21 40 07 A0 BB 00 00 02 15 00 6A 
<-->
12 20 A0 30 DD 00 00 02 15 00 08 01 14 00 73 53 19 68 08 01 13 31 A1 B6 14 9E A1 B6 B1 CD 7B B5 00 44 CD 7C 16 81 0A A4 3C 8D 80 81 B0 81 60 AE 05 20 07 BF 24 BB 24 25 21 97 31 E3 01 27 4C 22 19 E6 92 A1 02 26 32 E6 95 AB 04 25 0D 88 E6 95 27 24 B7 24 9F AB 96 24 09 84 84 8D 00 A9 C7 00 55 D3 B7 4B 4F B7 4A E6 93 B7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 


0093: CD 7B B5     jsr UpstatCmpEmmB1   ; get2parms for compare
0096: .db 00                            ; 30E8 Upstat Msb
0097: .db 44                            ; 30E9 Upstat Lsb

0098: CD 7C 16     jsr Jmp_WriteRowEE_AfromXtoRC1_init; Copy 4N byte
009B: .dw 81 0A                         ; DST
009D: .db A4                            ; SRC
009E: .db 3C                            ; LEN

009F: 8D           ecall 80 81 B0       ; Call $page $add


 BYTES DUMP:
---------------------
00A3: 81 60 AE 05 20 07 
00A9: BF 24 BB 24 25 21 97 31 
00B1: E3 01 27 4C 22 19 E6 92 
00B9: A1 02 26 32 E6 95 AB 04 
00C1: 25 0D 88 E6 95 27 24 B7 
00C9: 24 9F AB 96 24 09 84 84 
00D1: 8D 00 A9 C7 00 55 D3 B7 
00D9: 4B 4F B7 4A E6 93 B7 00 
00E1: 00 00 00 00 00 00 00 00 
00E9: 00 00 00 00 00 00 00 00 
00F1: 00 00 00 00 00 00 00 00 
00F9: 00 00 00 00 00 00 00 00 
0101: 00 00 00 00 00 00 00 00 
0109: 00 00 00 00 00 00 00 00 
0111: 00 00 00 00 00 00 00 00 


####################################################################################################################
21 00 6D A0 CA 00 00 67 04 65 08 01 82 00 10 92 05 56 FF 9C CA 72 4F DB FF E5 E0 C0 99 BD 16 49 9A 1D 7F 0C DE 38 51 FF 41 AA D3 27 7D 07 92 AF C9 B4 71 89 7B 51 D5 90 74 D8 9F FB 37 75 44 F6 FC CD 32 5E 21 04 C8 BB DE 72 58 6C 91 91 AA 01 F0 D7 06 82 4F 85 62 0F 0F 3C 4D C0 7D 46 84 44 EB 9C D4 5A 0D 93 45 20 F2 2D 9E 88 67 65 54 02 A4 
<-->
12 00 04 84 00 90 00 02 
<-->
Sending Command
<-->
<-----------> Cmd 15                         -->  22:29:58
<-->
21 40 07 A0 BB 00 00 02 15 00 6A 
<-->
12 20 A0 30 DD 00 00 02 15 00 08 01 14 00 73 3A 76 74 08 01 13 31 A1 B6 14 9E A1 B6 B1 CD 7B B5 00 45 CD 7C 16 80 D5 A4 35 8D 80 81 B0 81 A1 48 27 09 A1 49 27 05 A1 E3 27 04 87 CC 80 0E 0B 62 4F 0A 62 02 20 4A C6 03 D3 88 B6 96 AB 05 25 3F 31 E1 01 22 3A A1 4E 22 36 31 E7 01 A6 01 AD 6C 27 02 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B5

0093: CD 7B B5     jsr UpstatCmpEmmB1   ; get2parms for compare
0096: .db 00                            ; 30E8 Upstat Msb
0097: .db 45                            ; 30E9 Upstat Lsb

0098: CD 7C 16     jsr Jmp_WriteRowEE_AfromXtoRC1_init; Copy 4N byte
009B: .dw 80 D5                         ; DST
009D: .db A4                            ; SRC
009E: .db 35                            ; LEN

009F: 8D           ecall 80 81 B0       ; Call $page $add


 BYTES DUMP:
---------------------
00A3: 81 A1 48 27 09 A1 
00A9: 49 27 05 A1 E3 27 04 87 
00B1: CC 80 0E 0B 62 4F 0A 62 
00B9: 02 20 4A C6 03 D3 88 B6 
00C1: 96 AB 05 25 3F 31 E1 01 
00C9: 22 3A A1 4E 22 36 31 E7 
00D1: 01 A6 01 AD 6C 27 02 20


####################################################################################################################
21 00 6D A0 CA 00 00 67 04 65 08 01 82 00 10 80 E8 04 49 8F 11 D9 15 BC FE AA A5 FE 53 58 3E 7B 34 0E 70 EA 88 13 75 D3 13 64 AF 3F 13 43 F9 DB 5B 11 39 53 C8 0A 6D CF 05 47 97 23 B7 6B 3D C0 12 34 09 3F CD F2 D3 20 7C 3D 5B BC D3 F7 47 CE 36 17 C9 F3 01 E8 1E B3 11 E8 38 0E 53 F0 7A A5 B0 4D 00 25 D6 34 A8 8B 93 8A A1 4F 88 F5 2B 02 2F 
<-->
12 00 04 84 00 90 00 02 
<-->
Sending Command
<-->
<-----------> Cmd 15                         -->  22:30:07
<-->
21 40 07 A0 BB 00 00 02 15 00 6A 
<-->
12 20 A0 30 DD 00 00 02 15 00 08 01 14 00 73 65 82 E6 08 01 13 31 A1 B6 14 9E A1 B6 B1 CD 7B B5 00 46 CD 7C 84 05 00 95 99 80 D5 CD 7C 5C 1E CD 7C 84 01 00 00 00 00 00 8D 80 81 B0 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 

0093: CD 7B B5     jsr UpstatCmpEmmB1   ; get2parms for compare
0096: .db 00                            ; 30E8 Upstat Msb
0097: .db 46                            ; 30E9 Upstat Lsb

0098: CD 7C 84     jsr UpdatePatchtable ; Update patch table
009B: .db 05                            ; Bug number postion
009C: .db 00                            ; page
009D: .db 95                            ; RomMsb
009E: .db 99                            ; RomLsb
009F: .db 80                            ; EEpromMsb
00A0: .db D5                            ; EEepromLsb

00A1: CD 7C 5C     jsr UpdateBugTableCHKS; UpdateBugTableCHKS one parms for 3177
00A4: .db 1E                            ; parms = BugTable_CHKS_Lsb

00A5: CD 7C 84     jsr UpdatePatchtable ; Update patch table
00A8: .db 01                            ; Bug number postion
00A9: .db 00                            ; page
00AA: .db 00                            ; RomMsb
00AB: .db 00                            ; RomLsb
00AC: .db 00                            ; EEpromMsb
00AD: .db 00                            ; EEepromLsb

00AE: 8D           ecall 80 81 B0               ; Call $page $add

 BYTES DUMP:
---------------------
00B2: 81 
####################################################################################################################
21 00 6D A0 CA 00 00 67 04 65 08 01 82 00 90 C7 12 59 0E A1 9A AA 8F 2E A9 E7 12 85 A3 71 C9 F8 27 D8 A3 D4 CB CC A4 E1 87 A4 1D A7 FB 0A 3C 35 B0 D3 B6 7E D5 2F 6B C5 6D 66 C4 93 FF BC 9D B4 F6 6F E0 FA 2A E0 C7 07 73 58 19 B8 A5 CD D5 CC 23 A4 24 A5 63 56 64 30 9B B4 CE D2 CA 65 66 D5 03 3E FD 3F 38 80 92 72 D7 37 B9 A7 FE C6 3F 02 B7 
<-->
12 00 04 84 00 90 00 02 
<-->
Sending Command
<-->
<-----------> Cmd 15                         -->  22:30:26
<-->
21 40 07 A0 BB 00 00 02 15 00 6A 
<-->
12 20 A0 30 DD 00 00 02 15 00 08 01 14 00 73 24 88 FC 08 01 13 31 A1 B6 14 9E A1 B6 B1 CD 7B B5 00 47 AE E0 A6 FF F7 5C F7 5C F7 CD 57 00 30 58 AE E0 A6 01 14 64 38 6B CD 6D E0 CD 57 00 30 5E AE E1 A6 02 14 64 38 6B CD 6D E0 CD 57 00 30 E2 AE D9 A6 05 CD 4E D9 4F C7 03 DD A6 48 C7 03 DE CC 7C FF 13 55 55 60 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AD

0093: CD 7B B5     jsr UpstatCmpEmmB1   ; get2parms for compare
0096: .db 00                            ; 30E8 Upstat Msb
0097: .db 47                            ; 30E9 Upstat Lsb

0098: AE E0        ldx #$E0             ; Load in X
009A: A6 FF        lda #$FF             ; Load in A
009C: F7           sta $X               ; Store A in...
009D: 5C           incx                 ; x++
009E: F7           sta $X               ; Store A in...
009F: 5C           incx                 ; x++
00A0: F7           sta $X               ; Store A in...
00A1: CD 57 00     jsr Get2ParmStroreRC1; Get 2 parms and store them at RC1
00A4: .dw 30 58                         ; RC1H:L

00A6: AE E0        ldx #$E0             ; Load in X
00A8: A6 01        lda #$01             ; Load in A
00AA: 14 64        bset2 STATS5         ; Bit 2 <-- 1
00AC: 38 6B        lsl EEWRITEOKBITS    ; << 1
00AE: CD 6D E0     jsr WriteRowEE_AfromXtoRC1; [A=len->EEBytesToWrite][X=src->EESrcPtr][RC1=dest-> EDestPtr]

00B1: CD 57 00     jsr Get2ParmStroreRC1; Get 2 parms and store them at RC1
00B4: .dw 30 5E                         ; RC1H:L

00B6: AE E1        ldx #$E1             ; Load in X
00B8: A6 02        lda #$02             ; Load in A
00BA: 14 64        bset2 STATS5         ; Bit 2 <-- 1
00BC: 38 6B        lsl EEWRITEOKBITS    ; << 1
00BE: CD 6D E0     jsr WriteRowEE_AfromXtoRC1; [A=len->EEBytesToWrite][X=src->EESrcPtr][RC1=dest-> EDestPtr]

00C1: CD 57 00     jsr Get2ParmStroreRC1; Get 2 parms and store them at RC1
00C4: .dw 30 E2                         ; RC1H:L

00C6: AE D9        ldx #$D9             ; Load in X
00C8: A6 05        lda #$05             ; Load in A
00CA: CD 4E D9     jsr CreatePatchBlock_DataAtX; [a= size of patchdata][x= ptr to patchdata][RC1= patch location]

00CD: 4F           clra                 ; a <-- 0
00CE: C7 03 DD     sta UpstatMsb_Tmp    ; Store A in...
00D1: A6 48        lda #$48             ; Load in A
00D3: C7 03 DE     sta UpstatLsb_Tmp    ; Store A in...
00D6: CC 7C FF     jmp Update_Upstat_From_UpstatMsb_Tmp; Update from UpstatMsbTmp at 03DD 30DE


 BYTES DUMP:
---------------------
00D9: 13 55 55 60 13 00 00 00 
00E1: 00 00 00 


----------------------End of      3.2.B1.0801 Table Decrypt List: Emm Command $B1----------------------------------



#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.C4: EMM command $C4	EmmCmdXX with Extra encryption Layer
#####################################################################################################
new Emm in rev 242
Syntaxe : C4 XX......
Desc : Decryption of 4D Len Data
After decryption Data move back on emmbuff12 and ReproceedEmm


#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.C5: EMM command $C5	WriteEEp at 311E and 311F and Update Date_Copy
#####################################################################################################
new emm in rev242
Syntaxe : C5 ?? DD DD
Desc : Date Update after always go EmmBadreturn


#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.E3: EMM command $E3	Write eeprom
#####################################################################################################
Description : EmmcmdE3 was create in Rev241(half of new packet 241 because the rest of 241 packet was send in
emmcmdE3). There is Type02 and type04, One emmpacket contain one emmcmdE3 Header and one or some Types of update.


EXample:
Encrypt
21 00 6D A0 CA 00 00 67 04 65 08 01 82 00 10 60 52 68 8A 5A 6C 27 92 93 91 A3 08 0F 22 DE 56 68 9C AB 03 6A 5C E5 59 9A AE 6D A3 D8 8F E2 DE DD E7 58 98 16 6E 9C B4 48 8E 26 F2 31 02 8B 08 50 D1 8C AA 2F 37 6C 56 4B 32 5E 63 75 2E 15 BE E2 D4 C1 72 E6 89 A6 9F E2 77 68 0A ED 5A EF 94 F6 9D E8 04 D4 C9 14 AF 56 84 9E 3C 87 F7 34 95 02 F0 

decrypt
E3 09 00 56 48 04 3F FF 02 84 E5 1A 83 40 02 A6 FF 38 6B CD 6D E0 CD 58 AB CD 59 6B 3D 4A 26 F1 B6 4B 26 ED 81 83 02 9B BD 16 AE E1 BF 20 CC 81 E2 83 AE 06 BF 20 8D 80 82 19 AE 61 BF 20 87 83 02 31 94 03 D3 84 A0 02 31 77 02 3C 32


Header description
===================================================================================================================
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
EmmcmdE3 Type 02

E3 09 40 00 49 02 84 A0 45 XX XX XX XX XX XX XX ......
|| || || || || || || || ||
|| || || || || || || || \\==Data Length
|| || || || || || \\=\\=====DstH:L
|| || || || || \\===========EmmCmdE3Type here 02
|| || || || \\==============Complete EmmCmdE3 Length
|| || || \\=================Packet Serial Number or UpstatCmpSrc LSB here 40 00
|| || \\====================Packet Serial number or UpstatCmpSrc MSB
|| \\=======================Packet length Header always 09
\\==========================EmmCmd E0

 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
===================================================================================================================

===================================================================================================================
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
EmmcmdE3 Type 04
                                               ________________________________Upstat Serial#
                                               || || __________________________Complete EmmCmdE3 Length
					       || || ||	_______________________EmmCmdE3Type here 04
					       || || ||	|| ____________________UpstatMsb_Tmp Lsb_Tmp	
					       || || || || || || __type 04 next round after(upstattmp...)become type02
					       || || ||	|| || || ||  __________RC1DESTPTR
					       || || ||	|| || || || || || _____Length
			Type04Example:	 E3 09 00 56 48 04 3F FF 02 84 E5 1A 83 40 02 A6
					    ||				     |>___________Data
					UROMPAGE02:288CA 09			

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
===================================================================================================================

FOR MUCH MORE INFORMATION 
	3.2.E3: EMM Command $E3   write eeprom	Sub Section Understand EmmcmdE3 by dasm

#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.E3: EMM command $E3	Write eeprom
#       3.2.E3: EMM command $E3   Write eeprom Sub section ALL EmmcmdE3 packet for Rom102Rev241 to Rom102Rev242
#####################################################################################################

E3 09 00 48 49 02 81 BE 45 3F FF 5F FF 7F FF FF FF DF 3F F7 FF F7 FF FF FF AB FF 7F FE 00 00 FF FF F3 FF FF FF 6F FF FF FF 00 00 00 00 88 97 54 54 54 AC 71 80 D6 81 BE B7 24 AF B6 92 A4 07 A8 07 97 AC 71 02 D6 89 89 AF B4 24 84 27 0A

E3 09 00 49 49 02 82 03 45 8D 00 A9 C7 00 55 D3 CC 5F 23 26 FB AE 00 27 03 CC 83 0F CC 83 0F 88 AC 71 80 AE 05 D1 82 29 27 0B 5A 26 F8 AF 20 0F B1 B1 B1 D7 14 AF C6 31 1D A4 40 27 24 26 17 A1 AD 26 15 C6 31 1D A4 80 27 17 C6 0D FC A1

E3 09 00 4A 49 02 82 48 45 81 26 10 CD 82 E3 26 0B 84 87 A1 CA 26 05 CD 82 E3 27 08 84 8D 00 A9 C7 00 7A 99 C6 0D FE AB 02 25 F1 C1 0D FC 26 EC A6 FD B7 4B A6 9B B7 4A A6 80 B7 46 CD 56 9E 31 19 C6 31 18 27 05 CD 56 9E 31 1B C6 0D FD

E3 09 00 4B 49 02 82 8D 45 31 C1 00 46 27 13 CD 5C 06 47 4A 02 24 C0 CD 58 8E CD 58 8E CD 58 8E 20 E7 CD 58 8E 31 C6 00 46 27 AC C1 0D FC 22 A7 CD 58 8E 31 C6 00 46 27 9E C1 0D FC 25 99 C6 0D FD A1 68 27 06 A1 69 27 02 84 87 C6 0E 0D

E3 09 00 4C 49 02 82 D2 45 AB 11 25 05 C1 0D FC 27 F2 84 8D 00 A9 C7 00 7A 99 C6 0D FC AB 05 25 09 B1 59 27 07 4C B1 59 27 02 A6 01 81 C6 31 1D BE 88 A3 13 26 05 A4 40 27 05 87 A4 20 26 FB 8D 00 A9 C7 00 5E 71 A1 9F 26 4F B6 93 A4 7F

E3 09 00 4D 49 02 83 17 45 AC 71 02 C1 88 CA AF 26 32 3F 2C CD 56 9E 30 E8 CD 57 54 00 94 CD 59 81 25 02 10 2C CD 57 54 00 96 CD 59 81 22 02 12 2C B6 2C 0F 93 0A A1 02 27 11 A1 01 27 0D 26 04 A1 03 27 07 8D 00 A9 C7 00 55 D3 A6 06 8D

E3 09 00 4E 49 02 83 5D 45 A9 C7 00 95 69 A1 C5 26 68 27 05 CC 5F 23 A7 A7 CD 57 00 31 1F C6 31 1E C1 31 1F 24 08 C6 31 1F CD 57 00 31 1E AC 71 80 CD 5A A6 00 94 83 C6 04 27 0F CD 5A A6 00 94 83 CA 04 27 12 CC 5F 23 A7 A7 26 F9 B1 93

E3 09 00 4F 49 02 83 A2 45 25 09 20 19 CC 5F 23 A7 A7 26 EC AF B6 93 38 6B CD 6D C9 AE 82 CD 57 00 30 DD CD 56 4D 8D 00 A9 C7 00 55 D3 63 68 63 6B 66 6F 72 63 A1 C4 27 03 CC 80 D5 CD 5A 3C 80 E0 12 CD 5A 3C 93 80 4D AC 71 02 CD 5A C0

E3 09 00 50 49 02 83 E7 45 92 2E 0A 20 10 AF A6 08 B7 6F C6 03 D3 A1 09 25 6A 4A 88 88 44 44 44 88 8D 00 84 C7 B6 80 B7 F2 B6 81 B7 F3 3F 80 3F 81 CD 5A 3C 80 88 4D 84 8D 00 87 CE CD 59 DA 0A 20 70 CD 5C 06 76 F2 02 26 38 84 A4 F8 AB

E3 09 00 51 49 02 84 2C 45 88 25 32 B7 4C 84 A4 07 97 27 0C 5A E6 70 92 E8 4C 92 E7 4C 5A 2A F5 CD 5A 3C 8A 92 4E CD 5A 3C E0 80 12 C6 03 D3 A0 03 C7 03 D3 AD 12 8D 00 A9 C7 00 95 91 84 84 AD 07 8D 00 A9 C7 00 55 D3 4F AE 1D 88 5A 2B

(2Type02 in this E3packet)
E3 09 00 52 3C 02 84 71 2F 07 2A FA CC 5F 23 A7 A7 AE 1D 84 5A 2B 07 2A FA CC 5F 23 A7 A7 81 8D 00 56 4D 66 6F 72 63 AC 71 80 8D 00 93 D5 AF 84 84 84 87 4F C7 07 F9 87 02 31 19 05 9B D3 9B D3 A0 00 00 00 00 00 00 00 00 00 00 00 00 00

E3 09 00 53 31 02 9B D3 2D 07 47 67 1C 02 02 04 67 67 C8 02 02 22 03 03 C7 02 02 12 02 02 15 02 02 2A 02 02 2B 42 42 65 02 02 64 12 12 1A 02 02 32 05 05 33 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

E3 09 00 54 2D 02 31 80 29 99 81 E2 00 88 59 80 75 00 81 2B 80 A0 00 8A B3 80 C8 00 95 99 80 D5 00 60 DB 82 19 00 7D 87 82 F6 00 93 D5 84 8F 00 63 9B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

(5Type02 in this E3packet)                                                                      ||31=ascii Rev241
E3 09 00 55 1C 02 31 78 01 30 02 31 7F 01 95 02 31 76 01 01 02 31 93 04 00 00 00 00 02 30 D7 01 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

(4type02 in this E3packetType04andtype02)
E3 09 00 56 48 04 3F FF 02 84 E5 1A 83 40 02 A6 FF 38 6B CD 6D E0 CD 58 AB CD 59 6B 3D 4A 26 F1 B6 4B 26 ED 81 83 02 9B BD 16 AE E1 BF 20 CC 81 E2 83 AE 06 BF 20 8D 80 82 19 AE 61 BF 20 87 83 02 31 94 03 D3 84 A0 02 31 77 02 3C 32 00

#####################################################################################################
#All EmmcmdE3 packet for Rom102Rev241 to Rom102Rev242
#####################################################################################################

Packet Quantity
Rom102 Rev241 to Rev242
Total h2A = dec42 

E3 09 40 00 49 02 84 A0 45 AC 71 80 CD 5A A6 30 E8 84 E6 02 AF 27 01 87 5F A6 83 E7 FF 5A 26 FB 5A CD 57 00 05 80 CD 5B 71 CD 57 00 32 80 AD 21 CD 57 00 16 BE CD 5B 71 CD 57 00 84 FF AD 12 A6 40 C7 03 DD A6 02 C7 03 DE 8D 80 81 9C 87

(4Type02 in this E3packet)
E3 09 40 01 35 02 31 0C 01 01 02 31 A8 0D 63 84 9B 00 95 99 9B BD 00 60 DB 9B C5 02 31 A7 01 80 02 31 93 01 9F 02 31 76 01 00 02 31 7F 04 00 00 00 00 02 31 98 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

E3 09 40 03 49 02 31 B6 45 95 99 81 E2 00 81 2B 8B 14 00 60 DB 8C 64 00 62 5A 84 A0 00 7D 2A 86 C2 00 5E 53 8B 76 00 5E 75 8B 65 00 7A 87 89 2D 00 55 EA 89 B6 00 40 56 32 80 00 5E 71 5F 23 00 89 96 8E 1E 00 7A C4 7A 99 00 87 8D 8C C5

E3 09 40 04 49 02 84 AF 45 C6 0D FD A1 2B 26 14 38 20 CD 47 6A BE 20 A3 C4 27 03 FF FF 83 3C 20 CC 85 49 83 A1 C4 26 01 83 A1 48 26 01 83 A1 07 26 1F C6 0D FE A0 05 A1 40 25 4C A1 60 22 48 A5 07 26 44 BE 20 A3 62 27 03 FF FF 83 3C 20

E3 09 40 05 49 02 84 F4 45 20 0F 83 A1 04 27 08 A1 18 27 04 A1 17 26 37 A6 60 C7 03 E0 C7 03 89 4A 97 D6 0E 04 D7 0A 92 A6 83 D7 0E 04 5A 2A F2 2B 01 83 B6 20 A4 FE A1 62 27 03 FF FF 83 3C 20 87 83 AE 5F A6 83 D7 0E 04 5A 2A F8 2B 01

E3 09 40 06 49 02 85 3A 45 3E 20 BE 20 A3 26 27 03 FF FF 83 3C 20 87 83 02 60 13 BE 20 A3 C5 27 03 FF FF 83 3C 20 8D 00 A9 C7 00 65 D3 83 CD 65 DD C6 03 87 C4 03 84 23 ED 22 01 83 AE 3F D6 0D FF D7 0A 92 A6 83 D7 0D FF 5A 2A F2 2B 01

E3 09 40 07 49 02 85 80 45 CD 57 76 03 83 8D 00 86 C1 8D 80 87 FD 8D 80 86 86 CD 5A A6 0A 92 00 C0 10 27 03 26 BA 83 AE 3F 8D 80 87 94 BE 20 A3 C6 27 03 FF FF 83 3C 20 8D 00 A9 C7 00 65 46 83 8D 80 86 0C C6 03 89 A5 07 26 40 44 44 44

E3 09 40 08 49 02 85 C5 45 3C 20 4A 8D 80 86 9A 8D 80 86 86 1F 70 A6 01 CD 5A A6 00 70 0A 92 08 26 24 27 01 83 CD 5A A6 0A 9A 03 E1 02 26 17 B6 20 A4 EF A1 CF 27 03 FF FF 83 3C 20 CE 03 89 5A 8D 80 87 94 5F 87 CD 59 DA 0A 92 80 27 01

E3 09 40 09 49 02 86 0A 45 87 83 CD 57 00 02 20 CD 5B 71 CD 57 76 03 83 8D 00 86 C8 8D 80 87 B5 CD 57 00 0A 20 CD 5B 71 CD 57 76 03 80 B6 6F 3C 20 A4 70 48 AB 3F 97 D6 0A 92 A4 7F 0F 7F 02 AA 80 D7 0A 92 06 7F 0B 8D 00 86 C1 8D 80 87

E3 09 40 0A 49 02 86 4F 45 FD 20 1B 83 8D 00 86 C8 C6 03 89 44 44 44 8D 80 88 53 AE 09 31 D6 03 83 B7 6F 8D 80 87 B5 8D 80 86 86 B6 7F A4 70 A1 20 23 03 CC 5F 23 48 AB 40 97 8D 80 87 73 87 83 AE 6F A6 83 D7 02 20 D7 0A 20 5A 2A F5 2B

E3 09 40 0B 49 02 86 94 45 01 83 3C 20 87 83 88 CD 57 76 03 86 8D 00 87 6B 84 A1 0F 27 0B A1 0B 22 04 A1 07 24 03 CC 5F 23 CD 57 00 0A 92 3C 20 CD 5C 76 00 87 D7 83 9B CD 7A B1 13 5E 9A 3E 20 8D 80 89 12 C6 0D FD C7 0A 91 AC 71 02 AE

E3 09 40 0C 49 02 86 D9 45 7F D6 0D FE D7 0A 92 A6 83 D7 0D FE E7 80 D6 8B D6 D7 02 20 5A 2A EA 2B 01 83 AF A6 28 B7 6F 8D 80 87 B5 C6 0B 11 CA 0A 91 C7 0B 11 CD 5A C0 30 40 0A 20 10 A6 10 8D 80 88 53 8D 80 87 B5 AE 80 8D 80 87 73 A6

E3 09 40 0D 49 02 87 1E 45 28 B7 6F A6 0F 8D 80 86 A5 1F 70 8D 80 86 86 3E 20 A6 01 CD 5A A6 00 70 0A 92 08 26 02 27 0F BE 20 A3 81 27 03 FF FF 83 3C 20 CC 83 08 83 BE 20 A3 81 27 03 FF FF 83 3C 20 AE 7F 8D 80 87 94 8D 80 82 F6 BE 20

E3 09 40 0E 49 02 87 63 45 A3 82 27 03 FF FF 83 3C 20 CD 5C 76 00 7D 87 83 54 90 93 90 5A 90 D6 0A 92 B7 24 D6 0A 92 90 D7 0A 92 B6 24 D7 0A 92 5C 90 5A 2A E9 2B 01 83 87 83 A3 7F 27 0B A3 5F 22 04 A3 3F 24 03 CC 5F 23 D6 0A 92 E7 80

E3 09 40 0F 49 02 87 A8 45 A6 83 D7 0A 92 5A 2A F3 2B 01 83 87 83 8D 00 A7 C0 A6 02 B7 44 A6 20 B7 45 3F 48 A6 07 8D 00 A8 22 A6 0A B7 44 A6 92 B7 45 3F 48 A6 04 8D 00 A8 22 8D 00 A8 44 A6 02 B7 44 A6 18 B7 45 A6 46 8D 00 A8 22 A6 0A

E3 09 40 10 49 02 87 ED 45 B7 44 A6 92 B7 45 3F 48 A6 0B 8D 00 A8 22 87 83 8D 00 A7 CA 8D 00 A8 44 A6 8B B7 46 A6 C0 B7 47 AC 71 02 A6 49 8D 00 A8 22 AF 8D 00 A7 84 8D 00 A7 C0 A6 02 B7 44 A6 20 B7 45 3F 48 A6 07 8D 00 A8 22 A6 0A B7



E3 09 40 11 49 02 88 32 45 44 A6 92 B7 45 3F 48 A6 04 8D 00 A8 22 A6 04 B7 44 A6 00 B7 45 3F 48 A6 3C 8D 00 A8 22 CC 87 EB 83 88 8D 00 84 81 04 6F 07 8D 00 A2 3C 20 05 83 8D 00 84 6D 85 58 58 58 5A 90 AE 07 89 D6 0A 92 90 E7 70 5A 90 20 A5 50 02


E3 09 40 12 49 02 88 77 45 5A 2A F5 04 6F 07 8D 00 A2 E9 20 05 83 8D 00 84 9D 90 AE 07 85 A3 07 27 11 90 E6 70 D8 0A 8A D7 0A 92 5A 90 5A 2A F2 20 CB 83 CD 5A 6C 0A 92 08 70 CD 5A 7D 02 A2 08 70 87 83 5F A6 83 E7 21 E7 30 E7 3D E7 6C 31 B8 30 02


E3 09 40 13 49 02 88 BC 45 B7 7C 0E 63 16 E7 80 0A 67 0D E7 90 E7 A0 E7 B0 02 60 02 E7 C0 E7 D0 E7 E0 E7 F0 06 62 18 D7 01 00 D7 01 10 D7 01 20 D7 01 30 D7 01 40 D7 01 50 D7 01 60 D7 01 70 D7 01 80 D7 01 90 D7 01 A0 D7 01 B0 D7 01 C0

E3 09 40 14 49 02 89 01 45 D7 01 D0 D7 01 E0 D7 01 F0 5C A3 10 25 A3 24 01 83 C6 2F 70 C8 2F 71 01 06 0F 27 0E 20 03 FF FF 83 4A 20 03 FF FF 83 20 EE 83 87 83 C7 0D EC 30 20 CD 52 51 1B 67 1F 63 1B 63 02 63 32 04 63 2F 0C 63 1A 8D 80

E3 09 40 15 49 02 89 46 45 88 B1 71 02 BE 20 DE 8A 91 A3 04 24 03 FF FF 83 8D 80 8D D0 CC 8B 93 83 38 20 BE 20 A3 B2 27 03 FF FF 83 3C 20 8D 00 81 FB 83 3E 20 8D 80 88 B1 02 66 08 CD 89 E4 26 03 27 08 83 CD 8D C5 CC 55 DA 83 26 09 CD 92 C1 40 02


E3 09 40 16 49 02 89 8B 45 8D C5 04 63 04 02 63 10 83 BE 20 A3 D0 27 03 FF FF 83 3C 20 CC 55 FD 83 BE 20 A3 E0 27 03 FF FF 83 3C 20 8D 80 8A 05 CC 55 BF 83 11 68 1A 68 C6 0D F8 A1 F2 26 0E BE 20 A3 B3 27 03 FF FF 83 3C 20 CC 89 44 8D

E3 09 40 17 49 02 89 D0 45 80 88 B1 B6 20 A1 C9 24 03 FF FF 83 8D 80 8D DE CC 8B 93 83 B6 20 A4 EF A1 C9 27 03 FF FF 83 3C 20 16 6B 8D 80 85 B7 27 03 26 08 83 CD 5A 7D 03 E1 02 80 81 83 02 61 45 0A 63 42 0E 63 3F 3F 4E A6 FF CD 48 20

E3 09 40 18 49 02 8A 15 45 25 36 C7 02 C3 AE 07 31 D6 00 4D A5 02 27 EC CD 78 02 25 24 9F 5C 5C B3 50 26 E0 CD 58 AB CD 57 54 30 DD AE 4A A6 02 AC 72 46 CD 5C 2C AF 25 CB 10 6B CD 47 93 CD 4F 51 87 83 10 6B CD 57 00 31 20 CD 4A 69 11

E3 09 40 19 49 02 8A 5A 45 6B 81 83 4F C7 07 F9 AC A6 0B C7 09 00 CD 5A C0 30 DD 09 01 04 4F C7 09 07 C6 30 54 4C C7 09 05 B7 80 A6 01 C7 09 06 B7 81 A6 00 C7 09 08 B7 83 A6 18 C7 09 09 CD 8C 82 00 CD 57 FE 09 0A 27 04 A6 80 AD B1 CD

E3 09 40 1A 49 02 8A 9F 45 8C 82 01 CD 57 FE 09 0C 27 04 A6 40 AD A2 CD 8C 82 02 CD 57 FE 09 0E 27 04 A6 20 AD 93 AE 07 D6 30 60 D7 09 10 D6 31 20 D7 09 18 5A 2A F1 71 80 CD 7A 2D 01 E0 00 00 25 15 AE 0F 31 D6 00 4D C7 09 20 AE 11 31

E3 09 40 1B 49 02 8A E4 45 D6 00 4D C7 09 21 20 09 83 A6 FF C7 09 20 C7 09 21 71 80 CD 7A 2D 0B E0 00 D0 A6 22 10 6B 24 05 CD 48 CA 20 03 CD 49 10 CD 4F 51 11 6B AF 87 83 A3 0B 26 1E 88 89 AE 05 31 D6 00 4D C1 07 FF 85 84 27 07 8D 00

E3 09 40 1C 49 02 8B 29 45 A9 C7 00 81 47 98 8D 00 A9 C7 00 81 73 CC 80 A0 83 B6 20 A4 FC A1 00 27 03 FF FF 83 3C 20 13 5E A6 22 C1 0D EC 26 43 0B 5E 40 9A 1C 6B BE 20 A3 04 27 03 FF FF 83 3C 20 CC 46 CF 83 8D 80 88 B1 B6 20 A4 FE A1

E3 09 40 1D 49 02 8B 6E 45 82 27 22 FF FF 20 1E 83 14 5E 1D 5E A6 C0 B7 5B 3F 5C 4F C7 0D EB 3F 58 3F 57 A6 0F C7 0D EA 1A 56 10 5F 13 5F 9B 10 05 71 00 3F 6B 3F 4E 12 5E 3F 20 11 5F 3F 57 9C A6 3A 88 A6 8B 88 A6 37 88 88 A6 C8 88 20


E3 09 40 1E 49 02 8B DB 45 11 06 17 0D 9D 00 00 B0 20 03 FF FF 83 9D B6 20 A1 02 23 03 FF FF 83 3C 20 9D A6 01 C7 07 EF B6 00 A4 01 A0 01 20 03 FF FF 83 59 AB 11 CB 07 EF 20 03 FF FF 83 9D 2A E4 20 03 FF FF 83 9D B8 00 A4 01 27 02 16

E3 09 40 1F 49 02 8C 20 45 5E 9F BE 57 26 0A 20 03 FF FF 83 B7 51 20 06 83 5A 26 2E B7 52 3C 57 BE 57 B3 20 27 03 FF FF 83 01 00 98 CE 0D EA 01 00 92 A6 3D 01 00 8D 4A 01 00 89 26 F7 01 00 84 5A 01 00 80 26 E9 CC 43 14 83 CC 41 66 BE

E3 09 40 20 49 02 8C 65 45 20 A3 05 27 03 FF FF 83 3C 20 8D 80 82 19 3E 20 BE 20 A3 60 27 03 FF FF 83 3C 20 87 83 CD 59 8E 01 71 80 92 C6 47 92 C1 47 26 F8 A1 02 23 03 CC 5F 23 4E CD 57 00 30 80 CD 58 AB AE 0F 3F 28 92 D6 47 92 D1 47

E3 09 40 21 49 02 8C AA 45 26 F8 A1 07 27 05 4D 27 02 3C 28 AB FF 36 4A 36 4B 5A 2A E6 CD 8D 30 3D 28 81 83 AE 40 BF 20 CD 8C 82 00 CE 31 2B C6 31 2C 90 CE 31 28 26 06 CE 31 29 C6 31 2A B3 4A 22 06 25 32 B1 4B 25 2E CD 8D AA B1 20 27

E3 09 40 22 49 02 8C EF 45 04 B7 20 20 D5 CD 8D 86 CD 57 00 30 60 C6 30 60 AE 4A FA F7 C6 30 61 BA 4B B7 4B A6 02 14 64 38 6B CD 6D E0 CC 5F 23 83 24 D0 B6 20 A1 80 27 04 38 20 20 A6 C6 31 2D 27 04 48 CD 38 50 CC 5F 23 83 B6 4A B7 4C

E3 09 40 23 49 02 8D 34 45 34 4C B8 4C 34 4C B8 4C 34 4C B8 4C 34 4C B8 4C 34 4C B8 4C 34 4C B8 4C 34 4C B8 4C B7 4C B8 4B 34 4A 36 4B B8 4B 34 4A 36 4B B8 4B 34 4A 36 4B B8 4B 34 4A 36 4B B8 4B 34 4A 36 4B B8 4B 34 4A 36 4B B8 4B 34

E3 09 40 24 49 02 8D 79 45 4A 36 4B B8 4B B7 4B B6 4C B7 4A 81 83 A1 0F 22 1E BB 48 B7 48 4F B9 47 B7 47 A6 07 92 CE 47 92 C3 47 26 F8 5D 27 01 4F AE 96 BF 6B CD 6D C9 81 83 3C 4B 26 08 3C 4A 26 04 A6 FF 20 0D BE 4A 90 BE 4B A6 10 4A

E3 09 40 25 49 02 8D BE 45 54 90 56 24 FA 81 83 19 60 8D 80 8D D0 9A 12 12 81 83 8D 80 89 12 9B C6 0D EC CD 46 64 20 35 83 A6 7A 09 60 33 A6 12 88 A6 8E 88 88 88 A6 C8 88 B6 11 13 12 AE 10 BF 12 3F 11 12 12 01 00 F3 02 12 FA 9A 9D 9B

(3Type02 in this E3packet)
E3 09 40 26 49 02 31 FC 27 40 38 8C C5 00 40 30 8C C5 00 40 5E 8C C5 00 55 8F 8C C5 00 60 DB 8C C5 00 62 5A 8C C5 00 7A 87 8C C5 00 80 63 8A 5D 02 32 80 13 8D 80 8D DE 12 12 A6 32 31 E7 02 A6 92 31 E7 03 87 83 80 02 31 80 03 70 87 B3

(3Type02 in this E3packet)
E3 09 40 27 46 02 8E 03 26 19 60 3E 51 A1 02 27 04 CC 42 A3 83 CC 42 85 13 5E A6 02 B7 11 A6 34 B7 12 87 83 8A 9B 8D 00 89 96 86 84 84 84 87 02 84 87 08 83 83 83 83 83 83 83 83 02 31 29 05 FF FF FF FF 07 02 31 99 03 FB 87 B3 00 00 00

(3Type02 in this E3packet)
E3 09 40 28 30 02 8B B9 1D 01 00 1F B6 03 01 00 1A A4 3F 01 00 15 A1 13 01 00 10 27 04 CC 5F 23 83 00 00 E5 20 05 02 31 0C 01 01 02 31 78 01 AA 02 8B B3 01 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                        ||newbugtablesize!!!!!

(6Type02 in this E3packet)
E3 09 40 29 3F 02 31 7F 01 72 02 31 93 06 00 00 00 00 00 72 02 84 A0 0F 8D 80 88 B1 BE 20 A3 61 27 03 FF FF 83 3C 20 02 31 76 01 01 02 31 9D 04 00 00 00 00 02 31 A7 04 00 00 00 00 02 30 E2 04 0B 2E 2E 01 00 00 00 00 00 00 00 00 00 00

(4Type02 in this E3packet)
E3 09 40 2A 33 02 31 AC 09 00 00 00 00 00 00 00 00 00 02 31 89 04 00 00 00 00 02 9B BD 15 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 02 30 D7 01 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                ||
                                                ascii Rev242 at 30 D7






#####################################################################################################
#####################################################################################################
#section3.2
#     3.2.E3: EMM command $E3	Write eeprom
#	3.2.E3: EMM Command $E3   write eeprom	Sub Section Understand EmmcmdE3 by dasm
#####################################################################################################
First Collect Data from emm (or directly for 241 binary)

Upstat42
start0x8182
CE 88 CA AF B3 93 26 11 BE 94 B3 95 26 04 A3 FE 27 07 C3 03 DD 26 02 B1 95 81 C6 03 DE AB 01 C7 03 DE C6 03 DD A9 00 C7 03 DD CD 7C FF 87 C6 30 E8 C7 03 DD C6 30 E9 C7 03 DE 20 E1

Upstat43
start0x8146
47 E6 94 B7 48 B6 24 38 6B CD 70 A6 84 20 BA A1 04 26 DD E6 93 C7 03 DD E6 94 C7 03 DE A6 03 20 A8 8D 80 81 9C 84 8D 00 A9 C7 00 95 69 CE 30 E8 C6 30 E9 CF 03 DD C7 03 DE AC 71 02

Upstat44
start0x810A
60 AE 05 20 07 BF 24 BB 24 25 21 97 31 E3 01 27 4C 22 19 E6 92 A1 02 26 32 E6 95 AB 04 25 0D 88 E6 95 27 24 B7 24 9F AB 96 24 09 84 84 8D 00 A9 C7 00 55 D3 B7 4B 4F B7 4A E6 93 B7

Upstat45
start0x80D5
A1 48 27 09 A1 49 27 05 A1 E3 27 04 87 CC 80 0E 0B 62 4F 0A 62 02 20 4A C6 03 D3 88 B6 96 AB 05 25 3F 31 E1 01 22 3A A1 4E 22 36 31 E7 01 A6 01 AD 6C 27 02 20

Update 45 + 44 + 43 + 42 + byte 80D0 to 80D4(because copypaste problem)
Ready for copy paste
DA 07 78 31 87 A1 48 27 09 A1 49 27 05 A1 E3 27 04 87 CC 80 0E 0B 62 4F 0A 62 02 20 4A C6 03 D3 88 B6 96 AB 05 25 3F 31 E1 01 22 3A A1 4E 22 36 31 E7 01 A6 01 AD 6C 27 02 20 60 AE 05 20 07 BF 24 BB 24 25 21 97 31 E3 01 27 4C 22 19 E6 92 A1 02 26 32 E6 95 AB 04 25 0D 88 E6 95 27 24 B7 24 9F AB 96 24 09 84 84 8D 00 A9 C7 00 55 D3 B7 4B 4F B7 4A E6 93 B7 47 E6 94 B7 48 B6 24 38 6B CD 70 A6 84 20 BA A1 04 26 DD E6 93 C7 03 DD E6 94 C7 03 DE A6 03 20 A8 8D 80 81 9C 84 8D 00 A9 C7 00 95 69 CE 30 E8 C6 30 E9 CF 03 DD C7 03 DE AC 71 02 CE 88 CA AF B3 93 26 11 BE 94 B3 95 26 04 A3 FE 27 07 C3 03 DD 26 02 B1 95 81 C6 03 DE AB 01 C7 03 DE C6 03 DD A9 00 C7 03 DD CD 7C FF 87 C6 30 E8 C7 03 DD C6 30 E9 C7 03 DE 20 E1

After bugcatcher is enable for it with upstat 46

0098: CD 7C 84     jsr UpdatePatchtable ; Update patch table
009B: .db 05                            ; Bug number postion
009C: .db 00                            ; page
009D: .db 95                            ; RomMsb
009E: .db 99                            ; RomLsb
009F: .db 80                            ; EEpromMsb
00A0: .db D5                            ; EEepromLsb
#####################################################################################################################
DISASSEMBLY OF CODE: EmmcmdE3 module is include in Rom102Rev241 for process all other write update
------------------------------
BugcatcherTrap on 009599:80D5

EEPROM80:8080E5             EMMCMDE3_Check_STATS3_5:             ; CODE XREF: EMMHandler_Rev241+Aj
EEPROM80:8080E5 0B 62 4F            btjf    STATS3, #5, EMMCMDE3_EMMBAD ; 1:ProceedEmmCmd_Get_IrdInfo ok
EEPROM80:8080E8 0A 62 02            btjt    STATS3, #5, EMMCMDE3 ; Jump if bit is true
EEPROM80:8080EB 20 4A               jra     EMMCMDE3_EMMBAD      ; Branch always EMMBAD_RETURN_CLRBUFF
EEPROM80:8080ED             ; ---------------------------------------------------------------------------
EEPROM80:8080ED
EEPROM80:8080ED             EMMCMDE3:                            ; CODE XREF: EMMHandler_Rev241+13j
EEPROM80:8080ED C6 03 D3            ld      a, EMMLENPREVIOUS    ; Load
EEPROM80:8080F0 88                  push    a                    ; Push onto the Stack
EEPROM80:8080F1 B6 96               ld      a, {EMMBUFF+$16}     ; Load
EEPROM80:8080F3 AB 05               add     a, #5                ; Addition
EEPROM80:8080F5 25 3F               jrc     EMMCMDE3_POPA_EMMBAD ; Jump if C = 1
EEPROM80:8080F7 31 E1 01            cp      a, (1,s)             ; Arithmetic Compare
EEPROM80:8080FA 22 3A               jrugt   EMMCMDE3_POPA_EMMBAD ; Jump if (C + Z = 0)
EEPROM80:8080FC A1 4E               cp      a, #$4E ; 'N'        ; Arithmetic Compare
EEPROM80:8080FE 22 36               jrugt   EMMCMDE3_POPA_EMMBAD ; Jump if (C + Z = 0)
EEPROM80:808100 31 E7 01            ld      (1,s), a             ; Load
EEPROM80:808103 A6 01               ld      a, #1                ; A=01
EEPROM80:808105 AD 6C               callr   EMMCMDE3_Load_UpstatMsbLsb_To_UpstatMsb_Tmp ; Call subroutine relative
EEPROM80:808107 27 02               jreq    loc_80810B           ; Jump if Z = 1 (equal)
EEPROM80:808109 20 60               jra     EMMCMDE3_NEXTEMMCMD  ; Jump relative always
EEPROM80:80810B             ; ---------------------------------------------------------------------------
EEPROM80:80810B
EEPROM80:80810B             loc_80810B:                          ; CODE XREF: EMMHandler_Rev241+32j
EEPROM80:80810B AE 05               ld      x, #5                ; X=05
EEPROM80:80810D 20 07               jra     loc_808116           ; Jump relative always
EEPROM80:80810F             ; ---------------------------------------------------------------------------
EEPROM80:80810F
EEPROM80:80810F             loc_80810F:                          ; CODE XREF: EMMHandler_Rev241+7Ej
EEPROM80:80810F                                                  ; EMMHandler_Rev241+90j
EEPROM80:80810F BF 24               ld      RAMCODE, x           ; Load
EEPROM80:808111 BB 24               add     a, RAMCODE           ; Type04=X=06
EEPROM80:808113 25 21               jrc     EMMCMDE3_POPA_EMMBAD ; 01+05=06 ;(A=03)+(x=06)=(A=09)
EEPROM80:808115 97                  ld      x, a                 ; now x=06 ;Type04=X=09
EEPROM80:808116
EEPROM80:808116             loc_808116:                          ; CODE XREF: EMMHandler_Rev241+38j
EEPROM80:808116 31 E3 01            cp      x, (1,s)             ; Arithmetic Compare
EEPROM80:808119 27 4C               jreq    EMMCMDE3_Load_Add1_write ; NEXTEMMCMD
EEPROM80:80811B 22 19               jrugt   EMMCMDE3_POPA_EMMBAD ; Jump if (C + Z = 0)
EEPROM80:80811D E6 92               ld      a, ($92,x)           ; Load
EEPROM80:80811F             E3 09 40 00 49 02 84 A0 45 XX XX XX XX XX XX XX ......
EEPROM80:80811F             || || || || || || || || ||
EEPROM80:80811F             || || || || || || || || \\==Data Length
EEPROM80:80811F             || || || || || || \\=\\=====DstH:L
EEPROM80:80811F             || || || || || \\===========EmmCmdE3Type here 02
EEPROM80:80811F             || || || || \\==============Complete EmmCmdE3 Length
EEPROM80:80811F             || || || \\=================Packet Serial Number or UpstatCmpSrc LSB here 40 00
EEPROM80:80811F             || || \\====================Packet Serial number or UpstatCmpSrc MSB
EEPROM80:80811F             || \\=======================Packet length Header always 09
EEPROM80:80811F             \\==========================EmmCmd E0
EEPROM80:80811F
EEPROM80:80811F             EMMCMDE3_Type02:                     ; Arithmetic Compare
EEPROM80:80811F A1 02               cp      a, #2
EEPROM80:808121 26 32               jrne    EMMCMDE3_Type04      ; Jump if Z = 0 (not equal)
EEPROM80:808123 E6 95               ld      a, ($95,x)           ; A=45  ;Type04=1A(example)
EEPROM80:808125 AB 04               add     a, #4                ; 45+04 = 49 ;1A+04+1E
EEPROM80:808127 25 0D               jrc     EMMCMDE3_POPA_EMMBAD ; Jump if C = 1
EEPROM80:808129 88                  push    a                    ; Push onto the Stack
EEPROM80:80812A E6 95               ld      a, ($95,x)           ; type02=45Len ;type04=1ALen
EEPROM80:80812C 27 24               jreq    loc_808152           ; Jump if Z = 1 (equal)
EEPROM80:80812E B7 24               ld      RAMCODE, a           ; Ramcode=XXLength
EEPROM80:808130 9F                  ld      a, x                 ; Type02=x=06 ;type04=x=09
EEPROM80:808131 AB 96               add     a, #$96 ; ''        ; 96+6=9c ;96+9=9F  Emmbuffdataarea
EEPROM80:808133 24 09               jrnc    loc_80813E           ; Jump if C = 0
EEPROM80:808135 84                  pop     a                    ; A=Previous len+04
EEPROM80:808136
EEPROM80:808136             EMMCMDE3_POPA_EMMBAD:                ; CODE XREF: EMMHandler_Rev241+20j
EEPROM80:808136                                                  ; EMMHandler_Rev241+25j ...
EEPROM80:808136 84                  pop     a                    ; type02=49 ;type04=1E
EEPROM80:808137
EEPROM80:808137             EMMCMDE3_EMMBAD:                     ; CODE XREF: EMMHandler_Rev241:EMMCMDE3_Check_STATS3_5j
EEPROM80:808137                                                  ; EMMHandler_Rev241+16j
EEPROM80:808137 8D 00 A9 C7         ecall   #0:StackReturn_by3Parms ; //StackReturn_by3Parms
EEPROM80:808137                                                  ; // get 3 parms
EEPROM80:808137                                                  ; //PAGE NEW DSTH:L RETURN
EEPROM80:808137             ; ---------------------------------------------------------------------------
EEPROM80:80813B 00                  dc.b 0
EEPROM80:80813C 55 D3               dc.w $55D3                   ; emmbadreturn
EEPROM80:80813E             ; ---------------------------------------------------------------------------
EEPROM80:80813E
EEPROM80:80813E             loc_80813E:                          ; CODE XREF: EMMHandler_Rev241+5Ej
EEPROM80:80813E B7 4B               ld      RC2.Offs16.LSB, a    ; Type02=9C ;Type04=9F
EEPROM80:808140 4F                  clr     a                    ; Clear
EEPROM80:808141 B7 4A               ld      RC2.Offs16.MSB, a    ; RC2H:L contain SRCPTR
EEPROM80:808143 E6 93               ld      a, ($93,x)           ; type02=84DESTH ;Type04:84DESTH
EEPROM80:808145 B7 47               ld      RC1.Offs16.MSB, a    ; Load
EEPROM80:808147 E6 94               ld      a, ($94,x)           ; type02=A0DESTL ;Type04=E5DESTL
EEPROM80:808149 B7 48               ld      RC1.Offs16.LSB, a    ; RC1H:L contain DESTPTR
EEPROM80:80814B B6 24               ld      a, RAMCODE           ; Ramcode was contain XXLength type02=56 type04=1A
EEPROM80:80814D 38 6B               sll     EEWRITEOKBITS        ; Shift left Logic
EEPROM80:80814F CD 70 A6            call    WriteRowEE_RC2LenAToRC1 ; in: a= size RC2 = srcptr;
EEPROM80:80814F                                                  ; RC1= destptr out:RC1 unchanged; RC2+=written
EEPROM80:808152
EEPROM80:808152             loc_808152:                          ; CODE XREF: EMMHandler_Rev241+57j
EEPROM80:808152 84                  pop     a                    ; Pop from the Stack
EEPROM80:808153 20 BA               jra     loc_80810F           ; Jump relative always
EEPROM80:808155             ; ---------------------------------------------------------------------------
EEPROM80:808155                          ________________________________Upstat Serial#
EEPROM80:808155                          || || __________________________Complete EmmCmdE3 Length
EEPROM80:808155                          || || || _______________________EmmCmdE3Type here 04
EEPROM80:808155                          || || || || ____________________UpstatMsb_Tmp Lsb_Tmp
EEPROM80:808155                          || || || || || || __type 04 next round after(upstattmp...)become type02
EEPROM80:808155                          || || || || || || ||  __________RC1DESTPTR
EEPROM80:808155                          || || || || || || || || || _____Length
EEPROM80:808155             Type04:E3 09 00 56 48 04 3F FF 02 84 E5 1A 83 40 02 A6
EEPROM80:808155                       ||                               |>____________DATA
EEPROM80:808155                UROMPAGE02:288CA 09
EEPROM80:808155
EEPROM80:808155
EEPROM80:808155             EMMCMDE3_Type04:                     ; CODE XREF: EMMHandler_Rev241+4Cj
EEPROM80:808155 A1 04               cp      a, #4                ; Arithmetic Compare
EEPROM80:808157 26 DD               jrne    EMMCMDE3_POPA_EMMBAD ; Jump if Z = 0 (not equal)
EEPROM80:808159 E6 93               ld      a, ($93,x)           ; A=3F
EEPROM80:80815B C7 03 DD            ld      UpstatMsb_Tmp, a     ; Load
EEPROM80:80815E E6 94               ld      a, ($94,x)           ; A=FF
EEPROM80:808160 C7 03 DE            ld      UpstatLsb_Tmp, a     ; Load
EEPROM80:808163 A6 03               ld      a, #3                ; A=03
EEPROM80:808165 20 A8               jra     loc_80810F           ; Jump relative always
EEPROM80:808167             ; ---------------------------------------------------------------------------
EEPROM80:808167
EEPROM80:808167             EMMCMDE3_Load_Add1_write:            ; CODE XREF: EMMHandler_Rev241+44j
EEPROM80:808167 8D 80 81 9C         ecall   #$80:{loc_819B+1}    ; 80819C
EEPROM80:80816B
EEPROM80:80816B             EMMCMDE3_NEXTEMMCMD:                 ; CODE XREF: EMMHandler_Rev241+34j
EEPROM80:80816B 84                  pop     a                    ; Pop from the Stack
EEPROM80:80816C 8D 00 A9 C7         ecall   #0:StackReturn_by3Parms ; //StackReturn_by3Parms
EEPROM80:80816C                                                  ; // get 3 parms
EEPROM80:80816C                                                  ; //PAGE NEW DSTH:L RETURN
EEPROM80:80816C             ; ---------------------------------------------------------------------------
EEPROM80:808170 00                  dc.b 0
EEPROM80:808171 95 69               dc.w $9569                   ; NEXTEMMCMD
EEPROM80:808173             ; ---------------------------------------------------------------------------
EEPROM80:808173
EEPROM80:808173             EMMCMDE3_Load_UpstatMsbLsb_To_UpstatMsb_Tmp:
EEPROM80:808173                                                  ; CODE XREF: EMMHandler_Rev241+30p
EEPROM80:808173 CE 30 E8            ld      x, UpstatMsb         ; Load
EEPROM80:808176 C6 30 E9            ld      a, UpstatLsb         ; Load
EEPROM80:808179
EEPROM80:808179             EMMCMDE3_ProcessHeader_Cp_09:        ; Load
EEPROM80:808179 CF 03 DD            ld      UpstatMsb_Tmp, x
EEPROM80:80817C C7 03 DE            ld      UpstatLsb_Tmp, a     ; Load
EEPROM80:80817F AC                  push    dsr                  ; Push onto the Stack
EEPROM80:808180 71 02               ld      dsr, #2              ; Load
EEPROM80:808182 CE 88 CA            ld      x, {CALL_MAP3844_func0E+1} ; UROMPAGE02:288CA 09
EEPROM80:808185 AF                  pop     dsr                  ; Pop from the Stack
EEPROM80:808186 B3 93               cp      x, {EMMBUFF+$13}     ; Arithmetic Compare
EEPROM80:808188 26 11               jrne    EMMCMDE3_Ret         ; Jump if Z = 0 (not equal)
EEPROM80:80818A BE 94               ld      x, {EMMBUFF+$14}     ; Load
EEPROM80:80818C B3 95               cp      x, {EMMBUFF+$15}     ; Arithmetic Compare
EEPROM80:80818E 26 04               jrne    loc_808194           ; Jump if Z = 0 (not equal)
EEPROM80:808190 A3 FE               cp      x, #$FE ; ''        ; Arithmetic Compare
EEPROM80:808192 27 07               jreq    EMMCMDE3_Ret         ; Jump if Z = 1 (equal)
EEPROM80:808194
EEPROM80:808194             loc_808194:                          ; CODE XREF: EMMHandler_Rev241+B9j
EEPROM80:808194 C3 03 DD            cp      x, UpstatMsb_Tmp     ; Arithmetic Compare
EEPROM80:808197 26 02               jrne    EMMCMDE3_Ret         ; Jump if Z = 0 (not equal)
EEPROM80:808199 B1 95               cp      a, {EMMBUFF+$15}     ; Arithmetic Compare
EEPROM80:80819B
EEPROM80:80819B             EMMCMDE3_Ret:                        ; CODE XREF: EMMHandler_Rev241+B3j
EEPROM80:80819B                                                  ; EMMHandler_Rev241+BDj ...
EEPROM80:80819B 81                  ret                          ; Subroutine Return
EEPROM80:80819C             ; ---------------------------------------------------------------------------
EEPROM80:80819C
EEPROM80:80819C             EMMCMDE3_Update_UpstatMsbLsb_ADD1_FromMsbTmp: ; Load
EEPROM80:80819C C6 03 DE            ld      a, UpstatLsb_Tmp
EEPROM80:80819F
EEPROM80:80819F             EMMCMDE3_Update_Upstat:              ; CODE XREF: EMMHandler_Rev241+E7j
EEPROM80:80819F AB 01               add     a, #1                ; Addition
EEPROM80:8081A1 C7 03 DE            ld      UpstatLsb_Tmp, a     ; Load
EEPROM80:8081A4 C6 03 DD            ld      a, UpstatMsb_Tmp     ; Load
EEPROM80:8081A7 A9 00               adc     a, #0                ; Add with Carry
EEPROM80:8081A9 C7 03 DD            ld      UpstatMsb_Tmp, a     ; Load
EEPROM80:8081AC CD 7C FF            call    Update_Upstat_From_UpstatMsbLsb_Tmp ; Call subroutine
EEPROM80:8081AF 87                  eret
EEPROM80:8081B0             ; ---------------------------------------------------------------------------
EEPROM80:8081B0 C6 30 E8            ld      a, UpstatMsb         ; Load
EEPROM80:8081B3 C7 03 DD            ld      UpstatMsb_Tmp, a     ; Load
EEPROM80:8081B6 C6 30 E9            ld      a, UpstatLsb         ; Load
EEPROM80:8081B9 C7 03 DE            ld      UpstatLsb_Tmp, a     ; Load
EEPROM80:8081BC 20 E1               jra     EMMCMDE3_Update_Upstat ; Jump relative always
EEPROM80:8081BC             ; End of function EMMHandler_Rev241
EEPROM80:8081BC
EEPROM80:8081BC             ; ---------------------------------------------------------------------------


#####################################################################################################################









##################################################################################################################
##################################################################################################################

#####################################################################################################
#####################################################################################################
#
#  4.1: Data type list
#####################################################################################################


Mapped ItemID[Index]
		Empty Spaces
	4.2.00: Data Type$00	Mapped ItemID[01] - IRD INFO
	4.2.01: Data Type$01	Mapped ItemID[02] - System Type
	4.2.02: Data Type$02	Mapped ItemId[03] - 
	4.2.03: Data Type$03	Mapped ItemID[04] - 
	4.2.04: Data Type$04	Mapped ItemID[05] - Provider Info
	4.2.--: Data Type$--	Mapped ItemID[06] - Decrypt Keys
	4.2.05: Data Type$05	Mapped ItemID[07] - Tier
	4.2.06: Data Type$06	Mapped ItemID[08] - Provider Filter
	4.2.07: Data Type$07	Mapped ItemID[09] - Spending Limit
	4.2.08: Data Type$08	Mapped ItemID[0A] - DT08+C8
	4.2.  : Data Type$	Mapped ItemID[0B] - 
	4.2.  : Data Type$	Mapped ItemID[0C] - 
	4.2.  : Data Type$	Mapped ItemID[FF] - DTMatchany



	ItemId 02 ???? by emmcmd85
	ItemId 03 ???? by emmcmd13
	ItemId 0C ???? by emmcmd90
	ItemId FF ???? by emmcmd90
	ItemId 04 ???? by emmcmd85 and?

Virgin image contain
		02
		05
		06	20times
		01
		05
		08
#####################################################################################################
#####################################################################################################
#
#
#####################################################################################################

#####################################################################################################
#####################################################################################################
#
#  4.2: Data type breakdown
#####################################################################################################

#####################################################################################################
#####################################################################################################
#Empty Spaces
#
#####################################################################################################


0C 01 00 2A 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#####################################################################################################
#####################################################################################################
#	4.2.00: Data Type$00	Mapped ItemID[01] - IRD INFO
#
#####################################################################################################

;Time zone F0 EC , zipcode 00 00 09 2A

0C 00 01 33 33 01
00 00 00 01 
08 01				; System type (00 01 = Dish; 08 01 = Bev)
01				; IRD Status byte
01 				; Free access group
ED				; Time zone
00 12 52
A8 BF 01 01 01			;
02 A5 82 DA			; IRD #
00 00
00 00 07 42			; zipcode
39 10	 			;
DA 82 A5 02			; IRD # in reverse
31 33 45 42			; IRD bootstrap in ascii 	(13EB EAFD E469)
45 41 46 44			; IRD build code in ascii
45 34 36 39			; IRD firmware in ascii
66 12 14 2A 3E			;

0C 00 01 33 33 01
00 00 00 01
00 01
01
01
E9
00 12 A1
A8 BE 01 01 01
02 24 53 B0			; IRD #
00 00
00 01 25 C6			;Zipcode
39 10
B0 53 24 02
32 32 41 42
44 43 45 44
50 32 32 33
66 12 61 19 32

0C 00 01 33 33 01
00 00 00 01
08 01
01
01
ED
00 14 11
A8 BE 01 01 01
02 AF 04 CA
00 00 00
00
0C 06 39 10
C6 C9 4B 02
31 33 45 42
45 41 45 44
45 34 36 39
66 13 76 2D 36

0C 00 01 33 33 01
00 00 00 01
08 01
01
01
F1
00 13 F3
A8 BE 01 01 01
01 BE 22 24
00 00 00
00
01 1A 39 10
24 22 BE 01
31 32 42 42
43 4F 43 41
45 35 30 39
 66 13 B3 2D 66
#####################################################################################################
#####################################################################################################
#	4.2.01: Data Type$01	Mapped ItemID[02] - System Type
#
#####################################################################################################


0C 00 02 0F 0F 02 00		; Header
00 00 01
09 01				; System type
00 00 00 00 00 58 A8 BE

0C 00 02 0F 0F 02 00		; Header
00 00 01
01 01				; System Type
00 00 00 00 00 58 A8 BE

0C 00 02 0F 0F 02 00 00 00 01 09 01 00 00 00 00 00 58 A8 BE
#####################################################################################################
#####################################################################################################
#	4.2.04: Data Type$04	Mapped ItemID[05] - Provider Info
#
#####################################################################################################

#1First 
0C 00 05 0D 0D 05 
00 00 00 01 08 00 00 00 
1B 22 4C A9			; CAM ID



Blackout Key Somewhere
#2Second 
0C 00 05 54 54 05 00 00 00 01 09 00 00 00
1B 22 4C A5			; CAM ID
38 20 00 00 00 03
09 01	
13 00 00 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
04 00 61 11 A1 A6 A5 62 12 1D 45 4D 63
00 00 00 00 05 B4 06 00 12 89 00 18 39 0A 
18 88 29 23 05 9F FF FF FF FF	; Callback phone number

Another for 0101
0C 00 05 6A 6A 05
00 00 00 01 01 00 00 00
04 21 FA 7D
38 20 00
00 03 07 04 1B 3B 00 31 18 00 45
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 61 13 69 3D F9 62 13 57 01 C9 63 13 4B 00 01 05 B4 06 06 12 89 00 18 39 0A 
18 00 26 79 08 4F FF FF FF FF 3A 14 B0 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF FF FF FF FF


0C 00 05 6A 6A 05
00 00 00 01 09 00 00 00
1B 2C 3F 1D
38 20 5D
00 00 08 01 01 0F 00 00 0F 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 61 13 16 8B 1D 62 00 00 00 03 63 13 77 6C 05 05 B4 06 01 12 89 00 18 39 0A 18 88 29 23 05 9F FF FF FF FF 3A 14 B0 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF FF FF FF FF
#####################################################################################################
#####################################################################################################
#	4.2.--: Data Type$--	Mapped ItemID[06] - Decrypt Keys
#
#####################################################################################################
0C 00 06 13 13 06 13 3C 9E E8 00 01 20 0F 08 08 8C A6 A8 8C FD E2 E2 63
      || || || ||             || ||    || || || ||==== Data 
      || || || ||             || ||    || ||=||======= XX __ keylength
      || || || ||             || ||    ||============= KeyNoXX
      || || || ||             || ||=================== always 00 01
      || || || ||===================================== ItemId06
      || || ||======================================== ItemLength
      ||============================================== ItemId06

-----------------------------------------------------------------------------------------------------

keyno0F Boxkey                                  BK BK BK BK BK BK BK BK
0C 00 06 13 13 06 13 3C 9E E8 00 01 20 0F 08 08 8C A6 A8 8C FD E2 E2 63

keyno46 ; IDEA1 ECM Aux1 Video Decrypt Updateorcreate by Emmcmd42
0C 00 06 1B 1B 06 13 DB 00 01 09 00 00 46 08 10 DC B0 E5 19 4C A6 DC 75 86 70 11 C9 D6 9F 16 AB

keyno0D
0C 00 06 23 23 06 13 07 8D 5C 08 01 20 0D 00 18 D9 93 BD 96 6F 80 07 33 39 E6 80 E3 96 26 CC CC 00 C9 35 DF C4 06 70 44

keyno FF
0C 08 10 07 8D BA F7 3A 72 9C AA B4 F5 0F FF 01 97 F1 7A

keyno 0C                               ||-------|>Data-----------------------------------------
0C 00 06 1B 1B 06 13 E5 9E 0A 08 01 00 0C 08 10 F6 30 37 D9 10 D9 62 2E B8 73 CE 60 8E AE F8 2B
####################################################################################################
####################################################################################################
Virgin 240 ALL decryptkeySet
DataspaceHeader not include


XX |----|-------------------------------------------------------------------------------------------
Keyno   |Data->
XX |----|-------------------------------------------------------------------------------------------

not same
09 18 10 3A B9 C7 2A AE 2F D0 3F 88 19 9B 75 2D 3B 69 E4

not same
19 10 60 45 67 D9 C5 DA 24 1F C9 7B 1C FA 01 53 9F C9 E4 70 D2 44 63 B6 8F 70 6A F4 09 A0 F1 2C B3 46 CC 70 CF 59 9A 03 6A C5 B8 A6 11 6C 58 DC 35 AC 13 85 E7 65 DB 1E F3 49 E6 A0 3D C0 81 43 88 25 D7 00 9D BF F0 C7 C4 23 F0 2D 06 D1 86 61 4A 43 0D 0B F6 19 8A 52 2A 3B E4 FB CF 3A 7D ED 5E D0 C3

always same
0B 18 10 0B 8E 5C 77 EA 0A 01 B1 46 F6 F4 C8 6F 82 1D F9

not same
01 10 18 E5 7C 18 8F F1 DE FB 00 CA EB 86 C8 BE E7 02 23 99 2D D7 2F CE 0B 54 C5

not same
00 18 10 99 FC 37 C0 80 F4 CC 7E AB 7C B5 28 40 44 75 7F

KeyNo02 :  IDEA EMM DERYPTKEY provider 0800
always same
02 10 18 17 F6 70 65 57 61 DC 6D 0F F1 04 D9 6B 7E 97 6D 7D 6E E1 DD 54 18 30 31

always same
03 18 10 99 42 3F B0 BB 4B D7 93 69 C8 E4 E0 E6 83 24 A2

not same
11 10 60 93 9C 6C 8C CF 62 5B 50 F2 D4 4A AC 1A 29 5B EB B2 E5 B4 44 9B 39 1F 0B BA BA 66 BB CE 74 D9 DB 44 F7 EE 83 06 D1 4C 41 3F 94 42 F3 D0 99 43 FA 82 05 56 34 8E EE 80 1E CE 17 6E 27 7A 94 AA C3 2A 96 90 C8 DE FE 33 82 1A 13 FA 51 86 A7 A6 4C D2 F7 FC F5 3F C8 62 17 20 72 D8 FC 80 72 FC 88

KeyNo12 :  Rsa Modulus EMM Decrypt Key provider 0800
always same
12 10 60 71 3F F3 89 C2 49 4E 6A 10 69 15 C0 46 20 B6 B1 EF 93 C9 1B 79 6D B1 5A 99 5F 78 8A 2E 74 0C 79 04 C3 83 23 92 1D 86 17 8C AF 36 8D 97 81 20 84 91 0E 04 2A AB FA AC 98 EB CC 19 DA 8A D7 5B 87 A7 54 16 4D CE FA CD 5C DA B9 83 32 AF EF D6 4F 11 D0 9C 94 9B 4E CF 05 DD B0 19 0B 14 CF 5B 9C

not same
01 10 18 68 AD BD EF 68 83 D8 B7 E2 29 86 F7 5F 08 3F 1C 9D 09 18 B3 28 11 80 5E

KeyNo02 :  IDEA EMM DERYPTKEY provider 0900
always same
02 10 18 D3 11 71 93 3A 95 F5 01 8E 6B 68 8B 42 AE B9 FF 22 43 6A BA AE 06 10 83

always same
03 18 10 0E 81 2E E8 EC EA A8 B1 76 47 93 EA F0 66 E1 60

not same
11 10 60 2B 59 A0 B7 CA 01 07 A7 56 5E 0A 2B CD FA 9B A5 C1 CE D6 0D 94 33 D5 59 B1 91 6D F9 2A 92 34 42 A8 13 5E D7 5B B3 CA A5 50 65 7B A4 09 31 42 3A 68 82 1C BE 42 26 9C 4E FF B7 DB 5D 27 5F F7 35 B2 2A FC BD 93 6C FA 95 5F C1 CB A9 E1 C7 37 F6 6C 3A AE 36 4C FB 2C 63 83 A9 FD 0B 09 B2 D6 B7

KeyNo12 :  Rsa Modulus EMM Decrypt Key provider 0900
always same
12 10 60 6B 81 07 E0 1F 3E 5A 61 E7 D7 3C 95 96 7E DF D2 59 A8 02 20 20 6B 47 75 74 FB CC FC 46 2E 04 52 64 0A B9 61 BF F8 5F E0 55 32 6E 6A B2 C6 88 94 AD 32 00 E4 44 B7 3B 22 43 AC A0 9A 8C FA AC 38 AE D9 3A EF 1E CD 37 EF 39 C4 BD 42 E9 D9 F4 DA C5 F3 6D 7D 92 E3 0E F5 CD 17 39 88 A2 90 97 88

KeyNo06 : IDEA0 ECM Aux0 Video Decrypt Updateorcreate by Emmcmd42
always same
06 08 10 D1 02 9D C0 B2 E2 60 C7 52 42 72 A6 7B A2 4E 38

always same
07 08 10 A3 BF 1C 39 24 6F 2F 25 BD F5 39 93 2B DA DC EA

KeyNo166:Rsa Modulus ECM Decrypt Key
always same
16 00 40 A5 79 B3 82 B0 55 FB CB 9C 47 8A AC DB AB 21 6C 2A A6 AA 6D DC FC E8 9B C3 51 F2 C6 5B 18 13 FC F9 2C 82 53 93 F8 C0 28 36 BB 74 A9 B8 30 55 6F 95 70 F9 32 2D 18 01 C2 13 7D 44 FE 3A 1E 8A C5

always same
04 08 10 2B 44 79 5A E6 8A 66 0F 8C 91 96 8E B9 86 FB 9B

KeyNo24 : for Command6D
always same
24 7F 06 19 20 12 75 79 59

not same
KeyNo30 : for Command48_4A
dataspace header include
keyno30 special provider      //  //   XX
0C 00 06 23 23 06 00 00 00 01 FF 01 80 30 21 18 68 62 51 70 1B CA 9E 3C 58 62 09 3D 94 59 BF 54 35 B2 D4 9A 20 13 C0 17
#####################################################################################################
#####################################################################################################
#	4.2.05: Data Type$05	Mapped ItemID[07] - Tier
#
#####################################################################################################

Channel Tier
------------
;DATE1371 = 2005-08-17
;DATE1771 = 2008-06-06	
0C 00 07 0D 0D 07        	;Header
12 0D 45 A6     		;Timestamp
09 01          			;Provider
03             			;IRD Status Byte
00 17 20        		;Rights ID (PPVID)
12 67     			;ExpireDate

Channel Tier
------------
0C 00 07 0D 0D 07        ;Header
14 13 0B 56     ;Timestamp
09 01           ;Provider
13              ;IRD Status Byte
00 1F 76        ;Rights ID (PPVID)
14 36     	;ExpireDate


Channel Tier without detail
---------------------------
0C 00 07 28 28 07 13 07 8D 58 09 01 11 00 1F 42 14 11 A8 BE 00 C8 00 66 13 71 34 44 61 13 07 00 00 62 36 38 A8 BE 0A 02 1C 90 FF 00 FF

Channel Tier
------------
0C 00 07 28 28 07        ;Header
13 07 8D 58     ;Timestamp
09 01           ;Provider
11              ;IRD Status Byte
00 1F 42        ;Rights ID (PPVID)
14 11 A8 BE     ;ExpireDate
00 C8           ;Low Tier (Min Channel)
00              ;Seperator
66 13 71 34 44  ;TimeStamp
61 13 07 00 00  ;Begin Date/Time
62 36 38 A8 BE  ;Rights Date/Time
0A 02 1C        ;Hi Tier (Max Channel)
90 FF 00 FF     ;Theme & Theme Ext.

Channel Tier
------------
0C 00 07 28 28 07        ;Header
13 07 8D 5C     ;Timestamp
09 01           ;Provider
11              ;IRD Status Byte
00 1F 43        ;Rights ID (PPVID)
14 11 A8 BE     ;ExpireDate
0D AC           ;Low Tier (Min Channel)
00              ;Seperator
66 13 71 34 68  ;TimeStamp
61 13 07 00 00  ;Begin Date/Time
62 36 38 A8 BE  ;Rights Date/Time
0A 0E 1A        ;Hi Tier (Max Channel)
90 FF 00 FF     ;Theme & Theme Ext.

Channel Tier
------------
0C 00 07 56 56 07        ;Header
13 38 8E 52     ;Timestamp
01 01           ;Provider
30              ;IRD Status Byte
00 9A A6        ;Rights ID (PPVID)
13 52 A8 BE     ;ExpireDate
00 01           ;Low Tier (Min Channel)
00              ;Seperator
11 FF FF FF     ;???
65 13 51 70 FF  ;??? Date/Time
70 00 03 63 00  ;??/Price/??
62 13 52 A8 BE  ;Rights Date/Time
0A 7F FF        ;Hi Tier (Max Channel)
18 00 00 9A A6  ;Low PPV ID
19 00 00 9A A6  ;High PPV ID
64 13 51 71 95  ;??? Date/Time
88 1D 53 6F 6E 20 6F 66 20 74 68 65 20 4D 61 73 6B 20 28 41 6C 6C 01 50 50 56 02 13 51 70 81  ;PPV Description


Channel Tier
------------
0C 00 07 56 56 07        ;Header
13 2C 96 10     ;Timestamp
01 01           ;Provider
30              ;IRD Status Byte
00 91 54        ;Rights ID (PPVID)
13 4C A8 BE     ;ExpireDate
00 01           ;Low Tier (Min Channel)
00              ;Seperator
11 FF FF FF     ;???
65 13 4B 03 4F  ;??? Date/Time
70 00 03 63 00  ;??/Price/??
62 13 4C A8 BE  ;Rights Date/Time
0A 7F FF        ;Hi Tier (Max Channel)
18 00 00 91 54  ;Low PPV ID
19 00 00 91 54  ;High PPV ID
64 13 4B 04 65  ;??? Date/Time
88 1D 41 72 65 20 57 65 20 54 68 65 72 65 20 59 65 74 3F 20 28 41 01 50 50 56 02 13 4A 9E 35  ;PPV Description
#####################################################################################################
#####################################################################################################
#	4.2.06: Data Type$06	Mapped ItemID[08] - Provider Filter
#
#####################################################################################################
			, Always Same

0C 00 08 09 09 08 00
00 00 01 
08 01
20
00

another
0C 00 08 09 09 08 00
00 00 01
00 01
20
00

another
0C 00 08 09 09 08 00
00 00 01
00 01
20
00
another
0C 00 08 1F 1F 08 00
00 00 01
00 01
00 00 68 00 00 00 00 00 00 00 00 38 04 00 00 00 00 03 00 09 00 00 39 00
#####################################################################################################
#####################################################################################################
#	4.2.07: Data Type$07	Mapped ItemID[09] - Spending Limit
#
#####################################################################################################

0C 00 09 23 23 09		;Header
12 D2 07 50 09 01 01 FF FF FF 13 F3 A8 BE 00 73 55 00 01 09 23 00 00 87 66 13 B3 38 EA 64 13 B2 05 1C

another
0C 00 09 1E 1E 09
12 1D 45 30 09 01 81 FF FF FF 12 52 A8 BF 00 00 00 00 00 0A 00 00 00 32 66 12 14 2B 76

another
0C 00 09 23 23 09
12 D2 07 50 09 01 01 FF FF FF 13 F3 A8 BE 00 73 55 00 01 09 23 00 00 87 66 13 B3 38 EA 64 13 B2 05 1C

another
0C 00 09 1E 1E 09
13 07 8D 5C 09 01 01 FF FF FF 14 11 A8 BE 00 00 00 00 00 0A 00 00 00 87 66 13 76 36 9E

another
0C 00 09 1E 1E 09
12 72 86 0C 01 01 81 FF FF FF 12 B2 A8 BE 00 00 00 00 00 01 00 00 00 32 66 12 72 82 10

another
0C 00 09 23 23 09
12 5F 4F EA 01 01 C1 FF FF FF 12 A1 A8 BE 00 7A 51 00 00 B7 53 00 00 32 66 12 61 22 8E 64 12 4A A8 BF

another
0C 00 09 23 23 09
10 31 1D C8 01 01 41 FF FF FF 11 81 A8 BE 00 03 63 00 00 4B 00 00 00 32 66 11 41 21 E0 64 10 42 0F 1A

another
0C 00 09 23 23 09
13 56 A7 50 
01 01				;System ID (01 01 = Dish ; 09 01 = Bev)
81				;IRD status byte
FF FF FF
13 94				;Expiration Date
A8 BE				;Time
00 27 59			;Credit in cash
00 00 6A 5B			;Debit in cash
00
00 32				;Phone home threshold
66 13 54 7F 86 64 13 4B A8 BF
#####################################################################################################
#####################################################################################################
#	4.2.08: Data Type$08	Mapped ItemID[0A] - DT08+C8
#
#####################################################################################################

0C 00 0A 54 54 0A		;Header
11 91 80 74 08 01 08 FF FF 49 	;always
80 29 7C EF 55 3D 98 A2 53 93 94 2E E9 5B 00 2A 66 1B C9 AB 5C D1 03 E1 CB 95 D7 1C 33 09 82 DF 1F C7 F0 31 E2 E0 26 C7 F0 BF 9D 83 99 B5 B3 05 05 78 71 9D 5A 3C C5 FE 16 90 44 B6 F5 CB 99 40 5F 58 96 EB 0F B7 A7 2C 48

another
0C 00 0A 54 54 0A
11 1D 0C D8 00 01 08 FF FF 49 80	; 
3D 24 71 61 76 5B FF E6 87 B4 AB 12 06 9C 67 1D D8 2A 09 04 8C E4 48 E8 EA 01 70 31 2A 8D 8F E6 6E A9 45 F3 4D DC 29 64 48 5B E5 52 62 10 F4 D0 B0 BC 14 6E 94 8C B6 38 D6 52 7C E3 4D 8A B8 1D 3C 9B 35 6F CB 7D AB 7D

another
0C 00 0A 54 54 0A
13 54 7F 88 00 01 08 FF FF 49 00
E8 9A A0 35 B6 C6 D7 F8 6D CF 7E 16 F0 52 46 88 BB 80 79 C1 6E D7 CB 03 E0 75 34 72 57 09 9C 9C B9 CA 61 71 5F D2 C9 11 AC 6A B9 49 1B F2 2A 6A C8 49 AA 4C DD EC 7C 21 34 47 CD 57 85 F4 DD 00 63 DD 52 58 2C D5 BE 3F


To receive it
DT08 get by TX:21 00 09 A0 CA 00 00 03 22 01 08 55 3F
RX = 12 40 4D A2 49 52 F0 00 00 00 00 01 08 FF 49 80 
3D 24 71 61 76 5B FF E6 87 B4 AB 12 06 9C 67 1D D8 2A 09 04 8C E4 48 E8 EA 01 70 31 2A 8D 8F E6 6E A9 45 F3 4D DC 29 64 48 5B E5 52 62 10 F4 D0 B0 BC 14 6E 94 8C B6 38 D6 52 7C E3 4D 8A 90 00 9E 

DT08(+C8)  TX:21 40 09 A0 CA 00 00 03 22 01 C8 55 BF
RX = 12 00 57 A2 53 52 F0 00 00 00>00 01 08 FF 49 80
3D 24 71 61 76 5B FF E6 87 B4 AB 12 06 9C 67 1D D8 2A 09 04 8C E4 48 E8 EA 01 70 31 2A 8D 8F E6 6E A9 45 F3 4D DC 29 64 48 5B E5 52 62 10 F4 D0 B0 BC 14 6E 94 8C B6 38 D6 52 7C E3 4D 8A B8 1D 3C 9B 35 6F CB 7D AB 7D 90 00 E6 


#####################################################################################################
#####################################################################################################
#	4.2.08: Data Type$0C	Mapped ItemID[0C] - ??
#
#####################################################################################################
0C 00 0C 0B 0B 0C 12 D2 31 80 08 01 00 01 FF FF

#####################################################################################################
#####################################################################################################
#section5 The backdoors
#  5.1: The backdoor passwords
#####################################################################################################
INCOMPLETE!!!!!!!!!!!!!
key&?
Len=80=640bits
83 93 83 D1 D8 FA B0 D4 2C 92
14 77 07 7A 8C 02 4C EC 98 88 1B 08 4F 5F 30 18
1F FD 73 09 BD 99 EA 8A AC 86 BF C5 35 62 00 1B
FE 96 B0 76 D2 7C 61 42 3E D8 E6 40 82 DD D0 1D
A2 20 EF B2 AB 02 72 A4 30 3C F0 0C C4 CF A1 D0
84 0F C0 2B DD 47 18 EA D9 5A 19 C0 7B 95 88 D4
F6 A4 BC 53 29 2E 75 62 F0 98 D8 C4 41 51 7D 04
D1 A5 0E CA 38 A1 4C C2 86 0B A8 8C 5A F1 AA 0D
96 11 4D C6 1D A9

eeprom password>3040                ; SRC Backdoor

#####################################################################################################
#####################################################################################################
#section5 The backdoors
#  5.2: The backdoor commands
#####################################################################################################
INCOMPLETE!!!!!!!!!!!!!
//ALL CLA_AD Utility, Backdoor Process
//7D17 to 7D9B
iobuff+5 Len 81
  21 00 08 ; A0 AD 00 00                ;Standard header
                                      ;Instruction length
                                      ;Command
                                      ;Command data length
                                      ;Expected response length
                                      ;Checksum

no answer because jp      IdleTop

after send bad INS if backdoor was valid and? dunno what
UROM:7D17             ClaA0Ins_Other_than_AD:              ; CODE XREF: ClaA0Ins_Other_than_AD+Dj
UROM:7D17 06 62 03            btjt    STATS3, #3, ClaA0InsAD_JP_0100 ; Jump if bit is true
UROM:7D1A CC 7A C0            jp      CleanAndSW6F00       ; Absolute Jump


#####################################################################################################
#####################################################################################################
#section6: Inside NagraVision cards
#  6.1: The MCU core
#  6.2: AA-06 vs AA-07
#####################################################################################################
Forum Post copy-paste From Trinity

ST19CF68
ROM10/ROM11/ROM101 Die Marking K410D, 600nm process, the base die has been designed in 1997 (the rom mask can be later than that)

ST19XL18
ROM102 Die marking K5F0A, Square in nature 350nm process, the base die has been designed in 2002. (Important Note, the die size is bigger than the ST19CF68 but the feature size is half smaller... go figure...)

ROM102 Die marking K590A, rectangular in nature 350nm process. Pretty
much the same as K5F0A, just placed differently...

ST19W??
ROMS01 Die Marking K710A, 180nm process, square in nature and half the ROM102 size. Designed in 2003.

As for the ROM102, well, like I mentionned earlier, if the feature size is half of what it used to be and the die is bigger that the previous generation, it means that there is a lot more stuff implemeted on the circuit than before, so I would imagine that most of the added stuff would be security. Atually, I just looking at a document that is describing the stuff that a ST19XL18 has:
- 8 Bit processing unit
- Volatile memory (SRAM), Non-volatile (ROM and EEPROM)
- Security Blocks: Memory Access Control Logic (MACL), clock generator, security administrator, power manager
- Supporting functions: I/O Ports (Contact only), 8 Bit timer, unpredictable
here is the link : ////http://www.ssi.gouv.fr/site_documen...ible2005_10.pdf

Trinity
#####################################################################################################
#####################################################################################################
#section7: Glossary
#  7.1: Glossary
#####################################################################################################
bla bla bla bla


#####################################################################################################
#####################################################################################################
#section8: Encryption
#  8.1: ECM encryption
#####################################################################################################
<-----------> Cmd 07 --> 2005-11-29 17:50:28
<-->
21 40 4D A0 CA 00 00 47 07 45 09 01 86 00 88 72 2A E9 21 EB 85 83 D7 7B C1 32 C9 24 64 6B 0F 27 7D 5B A9 2D 36 7F 06 8E 0F A5 81 E0 56 A8 C5 76 57 CB AA A4 FF 30 14 64 38 51 77 83 FD 51 5A 3F 24 0D 3A E3 EC 83 C5 55 D8 74 18 C8 23 43 7D 02 5D
<-->
12 40 04 87 00 90 00 41
<-->
21 40 4D --> NAD,PCB,LEN
A0 CA 00 00 --> CLA,INS,P1,P2
47 --> Command Length
07 --> Command
45 --> Data length
09 01 --> Provinder
86 00 88 --> Key Select

ECM Plain Text
72 99 7D 2D 3E 31 EC 91
09 01 --> Providers
13 D9 --> Current Date 2005-11-29
A0 6C --> Current Time 22:48:56
00 80
13 E3 --> Date 2005-12-09
8B F3 --> Time 19:54:14
30 0B
02 44 --> Channel
80 00 FF 00
13 D9 --> Date 2005-11-29
9E 35 --> Time 22:30:02
1E
10 --> CW 10 EVEN, 11 ODD
09 --> Length
00
0B 0B 15 2B 55 AE 25 28 --> CW ( Session Key )
11 --> CW 10 EVEN, 11 ODD
09 --> Length
00
93 D0 0D 70 BE 9F A8 05 --> CW ( Session Key )
00 --> ECM END
7D B4 A8 F7 17 74 AA 55

02 --> Response length
5D --> Checksum
<-->
12 40 04 --> NAD,PCB,LEN
87 --> Response code
00 --> Data length
90 00 --> SW1/SW2
41 --> Checksum
<-->
#####################################################################################################
#####################################################################################################
#section8: Encryption
#  8.2: EMM encryption
#####################################################################################################

emm decryption module
TRAP 9599 tO 9000
TRAP 60DB to 8219
Description each emm are copy to iobuff+7 0dFF
to retreive send any A0 XX other than CA and FF Example : 21 40 07 A0 BB 00 00 02 15 00 6A

########################################################
ClassA0ins handler
821A: 17 63        bclr3 $63            ; Bit 3 <-- 0
821C: A1 CA        cmp #$CA             ; Compare with A
821E: 26 03        bne $8223            ; Branch if <>
8220: CC 60 EC     jmp $60EC            ; Jump

8223: A1 FF        cmp #$FF             ; Compare with A
8225: 26 03        bne $822A            ; Branch if <>
8227: CC 7D 99     jmp $7D99            ; jp      {EMMBUFF+8} Interceptor

822A: A6 15        lda #$15             ; Load in A
822C: CD 64 72     jsr $Respond         ; Go to subroutine
		   db.AA
                   db.65
8231: CC 7A 95     jmp $SW9000          ; Jump
#########################################################
EmmHandler
9000: CD 5A 6C     jsr $Copy_ZP_to_RAM  ; Go to subroutine
		   db.w 0DFF		; AddressH, AddressL,
		   db.b 60		; Bytes Count (N)
		   db.b 80		; and SourceZP

9007: A6 00        lda #$00             ; Load in A		;remove it
9009: CC 95 79     jmp $GOEMMEND           ; Jump
#########################################################
#####################################################################################################
#####################################################################################################
#section8: Encryption
#  8.3: The valid hash
#####################################################################################################

#####################################################################################################
#####################################################################################################
#section9: Hacks
# 
#####################################################################################################
bla h

#####################################################################################################
#####################################################################################################
#section10: Firmware versions of the various E* cards
#   10.102: ROM102 firmware versions
#####################################################################################################

                 Receive block size                  To compute LRC skip the first byte "3F"
			||                                                    ||			
3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50 31 30 31 20 52 65 76 30 30 37 3D
	101 Rev007 dish

3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50 31 30 31 20 52 65 76 30 30 38 32
	101 Rev008 dish

3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50 31 30 31 20 52 65 76 30 30 39 33
	101 Rev009 dish



3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 31 30 32 20 52 65 76 31 30 33 64
	102 Rev103 dish

3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 31 30 32 20 52 65 76 31 30 35 62
	102 Rev105 dish

3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 31 30 32 20 52 65 76 32 34 30 60
	102 Rev240 bev

3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 31 30 32 20 52 65 76 32 34 31 61	
	102 Rev241 bev

3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 31 30 32 20 52 65 76 32 34 32 62	
	102 Rev242 bev

3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 31 30 32 20 52 65 76 32 38 31 6D
	102 Rev281 dish



3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 31 30 33 20 52 65 76 33 30 30 64
	103 Rev300 dish

3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 31 30 33 20 52 65 76 33 38 33 6F
	103 Rev383 dish

3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 53 30 31 20 44 73 68 36 30 32 1D
	S01 Dsh602 dish

3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 53 30 31 20 52 65 76 36 34 30 05
	S01 Rev640 bev

3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 53 30 32 20 44 73 68 38 30 32 10
	S02 Dsh802 dish


#####################################################################################################
#####################################################################################################
#section11: Writing code for NagraVision cards
# 
#####################################################################################################
11: Writing code for NagraVision cards
  11.3: ROM102 cards
     11.3.1: Bug-catcher modules
     11.3.2: Hooking in a bug-catcher
     11.3.3: Useful routines and memory locations
        11.3.3.1: Utility routines
        11.3.3.2: Database routines
        11.3.3.3: Low-level routines
        11.3.3.4: Encryption/decryption routines
     11.3.4: Memory usage
        11.3.4.1: ZP RAM
        11.3.4.2: Other RAM
        11.3.4.3: Tables in ROM and EEPROM
	11.3.5: MAPROM
#####################################################################################################
#####################################################################################################
#Section11
#     11.3.1: Bug-catcher modules
#####################################################################################################

$3170=C0038800301001141900801A80000060
$3180=DB8219008859807500812B80A0008AB3
$3190=80C80000000000000000000000000000

3178=BUGCOUNT


      PAGE SRC DSTEEPROM
TRAP1 00 801A 8000
TRAP2 00 60DB 8219


#####################################################################################################
#####################################################################################################
#Section
#     11.3.3: Usefull routines and memory locations
#####################################################################################################
 	Rom102 Index 
 	 4000 to 46FA Reset and IO utility
	 46FA to 4FF9 ItemId Utility , Update etc..
	 4FF9 to XXXX DelaySubRoutine and RamUtility
	 558B to 5668 DecodeEmm
	 5668 to 5D56 Utility Tool
	 5D56 to XXXX Startup
	 5F92 to XXXX TRAP
	 60D4 to XXXX ClassA0Handle
	 610A to 6CF3 FirstComand$$
	 6CF3 to 70F2 EEprom Utility
	 70F2 to 7A7A DataItemId Utility, Update GetmatchingItem etc..
	 7A7A to 7BB4 SW Utility , Sw6F00 etc..
	 7BB4 to 7D14 EMMCMDB1 (Tool Set #1)
	 7D17 to 7D9B CLA_AD Utility, Backdoor Process
	 7D9B to 8000 Some Emmprocess utility ??
	 8000 to 8032 BuildATR
	 821D to XXXX ENCODECALLBACK
	 84C7 to XXXX IDEA_Decode_Blocks
	 8677 to XXXX Emmdecrypt
	 8992 to XXXX CALL_MAP3844
	 8A6B to XXXX Decode_CW
	 9550 to A23C PROCEEDEMMCMD
	 A23C to XXXX IDEA_GenerateExpandedKey
	 A281 to XXXX IDEA_Mul
	 A2E9 to XXXX IDEA_Cipher
	 A5E9 to XXXX KeySelect and MoveIoEmm
	 A77C to XXXX Rsa Decryption Tool
	 A822 to XXXX CALL_MAP3840
	 A904 to AADC EMMCMDB1 (Tool Set #2)
        	 AA76 OTP3008_Sub
	 AADC to AD94 EMMCMDB1 (Tool Set #3)
	 AD94 Opcode end
#####################################################################################################
#####################################################################################################
#Section
#     11.3.4: Memory usage 
#####################################################################################################
#Rom102 Mem location

---------------------------
   Page: Address
---------------------------
       User-ROM:
    xx : $4000-$7FFF (16K)
    00 : $8000-00:$FFFF (32K)
    01 : $8000-01:$FFFF (32K)
    02 : $8000-02:$BFFF (16K)
----------------------------
    EEP:
----------------------------
    xx : $3000-$37FF (2K)
   $80 : $8000-$80:$FFFF (32K)
#####################################################################################################
#####################################################################################################
#Section
#     11.3.5: MAPROM
#####################################################################################################
UROMPAGE00:89A2 CD 38 44                    call    $3844
  
UROMPAGE00:A832 CD 38 40                    call    $3840

thanks to BigJx
[MapFunctions]
02=Set default Operand size 
04=Import Message at [44:45] to MapRegA
07=Import Modulus at [44:45] to MapRegD
0B=Export MapRegA to [44:45]
0C=Export MapRegB to [44:45]
0D=Export MapRegC to [44:45]
28=Generate Random Number in MapRegA
3C=Calculate Message^PrivateExp mod Modulus, result in MapRegA 
46=Calculate Message^Exp mod Modulus, Exp at [44:45], result in MapRegA 
49=Calculate PrivateExp=E^-1 mod PHI(P*Q), parameters at [46:47]
48=Calculate P*Q, parameters at [46:47], result in MapRegB and MapRegC


#####################################################################################################
#####################################################################################################
#Section13.1 Stream
#Bootup sequence 0101
#####################################################################################################


0001 init seq
21 C1 01 80 61
12 E1 01 80 72
21 00 08 A0 CA 00 00 02 C0 00 06 87
12 00 08 B0 04 53 03 00 00 90 00 6E
21 40 08 A0 CA 00 00 02 12 00 06 15
12 40 08 92 04 04 0D 98 FF 90 00 32
21 00 08 A0 CA 00 00 02 15 00 08 5C
12 00 0A 95 06 0E 55 55 60 0E 55 90 00 2E
21 40 09 A0 CA 00 00 03 22 01 00 39 1B
12 40 3B A2 37 2A FF 90 00 00 00 01 01 ED 01 01 01 01 4E B3 5C 00 00 00 00 90 F6 12 53 A8 BE 10 5C B3 4E 01 31 33 45 42 45 41 45 44 50 32 32 39 00 00 00 00 00 00 00 00 00 00 00 00 90 00 8D
21 00 09 A0 CA 00 00 03 22 01 80 39 DB
12 00 3B A2 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 2C
21 40 09 A0 CA 00 00 03 22 01 08 55 7F
12 40 57 A2 53 52 F0 00 00 00 00 01 08 FF 49 00 D7 5C 32 BA CC 9A 49 07 D8 29 93 5C 51 B1 69 E7 74 AA 3C 5D 84 7D 94 78 D9 20 C1 26 5B 5D 7D 8B 9A 47 05 6F 8D 5C B3 8B E8 46 06 76 40 65 61 FB B3 A8 4F 7F EE 70 78 56 0A 20 AB 05 6A 9F CD 86 B4 A2 53 22 08 AE 53 D6 90 00 AC
21 00 09 A0 CA 00 00 03 22 01 88 55 BF
12 00 57 A2 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 86 B4 A2 53 22 08 AE 53 D6 90 00 2B
21 40 08 A0 CA 00 00 02 C7 00 04 C2
12 40 06 B7 02 FF FF 90 00 71
21 00 09 A0 CA 00 00 03 22 01 00 39 5B
12 00 3B A2 37 2A FF 90 00 00 00 01 01 ED 01 01 01 01 4E B3 5C 00 00 00 00 90 F6 12 53 A8 BE 10 5C B3 4E 01 31 33 45 42 45 41 45 44 50 32 32 39 00 00 00 00 00 00 00 00 00 00 00 00 90 00 CD
21 40 09 A0 CA 00 00 03 22 01 80 39 9B
12 40 3B A2 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 6C
21 00 09 A0 CA 00 00 03 22 01 01 0E 6D
12 00 10 A2 0C 0B E0 00 00 00 01 01 00 00 00 00 00 90 00 D7
21 40 09 A0 CA 00 00 03 22 01 81 0E AD
12 40 10 A2 0C 00 00 00 00 00 00 00 00 00 00 00 00 90 00 7C
21 00 09 A0 CA 00 00 03 22 01 04 44 22
12 00 46 A2 42 07 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 E3
21 40 09 A0 CA 00 00 03 22 01 84 44 E2
12 40 46 A2 42 41 FF 80 00 00 01 00 00 0F CB 35 95 00 00 00 03 10 BC 84 29 B4 01 20 2A 4A 00 00 38 15 2F 03 29 00 01 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 18 00 55 55 55 5F FF FF FF FF 90 00 BF
21 00 09 A0 CA 00 00 03 22 01 84 44 A2
12 00 46 A2 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 24
21 40 09 A0 CA 00 00 03 22 01 08 55 7F
12 40 57 A2 53 52 F0 00 00 00 00 01 08 FF 49 00 D7 5C 32 BA CC 9A 49 07 D8 29 93 5C 51 B1 69 E7 74 AA 3C 5D 84 7D 94 78 D9 20 C1 26 5B 5D 7D 8B 9A 47 05 6F 8D 5C B3 8B E8 46 06 76 40 65 61 FB B3 A8 4F 7F EE 70 78 56 0A 20 AB 05 6A 9F CD 86 B4 A2 53 22 08 AE 53 D6 90 00 AC
21 00 09 A0 CA 00 00 03 22 01 88 55 BF
12 00 57 A2 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 86 B4 A2 53 22 08 AE 53 D6 90 00 2B
21 40 09 A0 CA 00 00 03 22 01 03 1C 3D
12 40 1E A2 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 64
21 00 09 A0 CA 00 00 03 22 01 06 13 77
12 00 15 A2 11 08 E0 00 00 00 00 01 20 00 00 00 00 00 00 00 00 00 90 00 ED
21 40 09 A0 CA 00 00 03 22 01 86 13 B7
12 40 15 A2 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 64
21 00 09 A0 CA 00 00 03 22 01 07 20 45
12 00 22 A2 1E 18 FC 00 00 00 01 01 01 10 FA A8 BE 00 00 00 00 00 0A 00 00 00 32 FF FF FF 00 00 00 00 00 90 00 C2
21 40 09 A0 CA 00 00 03 22 01 87 20 85
12 40 22 A2 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 5C
21 00 09 A0 CA 00 00 03 22 01 02 2F 4F
12 00 31 A2 2D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 3C
21 40 09 A0 CA 00 00 03 22 01 05 57 70
12 40 59 A2 55 1E FF 88 00 00 01 01 01 00 00 D1 36 38 00 00 00 00 00 12 27 00 00 36 38 00 00 FF FF FF 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 86 B4 A2 55 22 05 AE 1E D6 C7 A0 90 00 CE
21 00 09 A0 CA 00 00 03 22 01 85 57 B0
12 00 59 A2 55 1E FF 88 00 00 01 01 01 00 00 CF 36 38 A8 BE 01 12 00 12 14 00 00 36 38 A8 BE FF 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 9E
21 40 09 A0 CA 00 00 03 22 01 85 57 F0
12 40 59 A2 55 1E FF 88 00 00 01 01 01 00 00 CF 36 38 A8 BE 01 12 00 12 14 00 00 36 38 A8 BE FF 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 DE
21 00 09 A0 CA 00 00 03 22 01 85 57 B0
12 00 59 A2 55 1E FF 88 00 00 01 01 01 00 00 CF 36 38 A8 BE 01 12 00 12 14 00 00 36 38 A8 BE FF 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 9E
21 40 09 A0 CA 00 00 03 22 01 85 57 F0
12 40 59 A2 55 1E FF 88 00 00 01 01 01 00 00 CF 36 38 A8 BE 01 12 00 12 14 00 00 36 38 A8 BE FF 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 DE
21 00 09 A0 CA 00 00 03 22 01 85 57 B0
12 00 59 A2 55 1E FF 88 00 00 01 01 01 00 00 CF 36 38 A8 BE 01 58 00 11 F6 00 00 36 38 A8 BE 02 94 FF 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 A3
21 40 09 A0 CA 00 00 03 22 01 85 57 F0
12 40 59 A2 55 1E FF 88 00 00 01 01 01 00 00 CF 36 38 A8 BE 01 12 00 12 14 00 00 36 38 A8 BE FF 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 DE
21 00 09 A0 CA 00 00 03 22 01 85 57 B0
12 00 59 A2 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 2C
21 40 09 A0 CA 00 00 03 22 01 09 06 2D
12 40 08 A2 04 00 00 00 00 90 00 6C
21 00 09 A0 CA 00 00 03 22 01 0A 06 6E
12 00 08 A2 04 00 00 00 00 90 00 2C
21 40 09 A0 CA 00 00 03 22 01 0B 06 2F
12 40 08 A2 04 00 00 00 00 90 00 6C
21 00 09 A0 CA 00 00 03 22 01 0C 06 68
12 00 08 A2 04 00 00 00 00 90 00 2C
21 40 09 A0 CA 00 00 03 22 01 0D 06 29
12 40 08 A2 04 00 00 00 00 90 00 6C
21 00 09 A0 CA 00 00 03 22 01 0E 06 6A
12 00 08 A2 04 00 00 00 00 90 00 2C
21 40 09 A0 CA 00 00 03 22 01 0F 06 2B
12 40 08 A2 04 00 00 00 00 90 00 6C
21 00 18 A0 CA 00 00 12 64 10 5C B3 4E 01 31 32 42 42 43 42 4E 41 38 33 33 50 03 F3
12 00 05 E4 01 00 90 00 62
21 40 08 A0 CA 00 00 02 2A 00 42 69
12 40 44 AA 40 6A C4 1E E9 02 54 CA 4D 11 31 D0 6E 35 15 DE EF AF 81 95 BB 3B A2 B5 2B 84 6F B6 C7 EF 3C A9 D9 4A B9 C6 95 5B E1 35 88 0F CF 0C 40 25 69 BC 80 CE F2 CF 93 B6 B6 7A 45 AD A4 15 C6 16 2F BE 26 90 00 2A
21 00 48 A0 CA 00 00 42 2B 40 09 64 2B E7 C9 9C 92 36 EC A6 81 4F BF A0 70 80 C5 B1 1E D7 22 93 52 4C B9 75 C5 A5 83 B5 A5 E6 23 A7 C5 26 A7 25 45 04 D3 FA 53 17 44 1B 9D 40 30 0E AB 84 7F 49 A9 64 04 FC 1B D7 54 6E FB 33 02 BF
12 00 04 AB 00 90 00 2D
21 40 08 A0 CA 00 00 02 C0 00 06 C7
12 40 08 B0 04 53 00 00 00 90 00 2D


#####################################################################################################
#####################################################################################################
#section13.2 Stream
#Bootup sequence cut
#####################################################################################################

0001 stripped init seq
21 C1 01 80 61
21 00 08 A0 CA 00 00 02 C0 00 06 87
21 40 08 A0 CA 00 00 02 12 00 06 15
21 00 08 A0 CA 00 00 02 15 00 08 5C
21 40 09 A0 CA 00 00 03 22 01 00 39 1B
21 00 09 A0 CA 00 00 03 22 01 80 39 DB
21 40 09 A0 CA 00 00 03 22 01 08 55 7F
21 00 09 A0 CA 00 00 03 22 01 88 55 BF
21 40 08 A0 CA 00 00 02 C7 00 04 C2
21 00 09 A0 CA 00 00 03 22 01 00 39 5B
21 40 09 A0 CA 00 00 03 22 01 80 39 9B
21 00 09 A0 CA 00 00 03 22 01 01 0E 6D
21 40 09 A0 CA 00 00 03 22 01 81 0E AD
21 00 09 A0 CA 00 00 03 22 01 04 44 22
21 40 09 A0 CA 00 00 03 22 01 84 44 E2
21 00 09 A0 CA 00 00 03 22 01 84 44 A2
21 40 09 A0 CA 00 00 03 22 01 08 55 7F
21 00 09 A0 CA 00 00 03 22 01 88 55 BF
21 40 09 A0 CA 00 00 03 22 01 03 1C 3D
21 00 09 A0 CA 00 00 03 22 01 06 13 77
21 40 09 A0 CA 00 00 03 22 01 86 13 B7
21 00 09 A0 CA 00 00 03 22 01 07 20 45
21 40 09 A0 CA 00 00 03 22 01 87 20 85
21 00 09 A0 CA 00 00 03 22 01 02 2F 4F
21 40 09 A0 CA 00 00 03 22 01 05 57 70
21 00 09 A0 CA 00 00 03 22 01 85 57 B0
21 40 09 A0 CA 00 00 03 22 01 85 57 F0
21 00 09 A0 CA 00 00 03 22 01 85 57 B0
21 40 09 A0 CA 00 00 03 22 01 85 57 F0
21 00 09 A0 CA 00 00 03 22 01 85 57 B0
21 40 09 A0 CA 00 00 03 22 01 85 57 F0
21 00 09 A0 CA 00 00 03 22 01 85 57 B0
21 40 09 A0 CA 00 00 03 22 01 09 06 2D
21 00 09 A0 CA 00 00 03 22 01 0A 06 6E
21 40 09 A0 CA 00 00 03 22 01 0B 06 2F
21 00 09 A0 CA 00 00 03 22 01 0C 06 68
21 40 09 A0 CA 00 00 03 22 01 0D 06 29
12 40 08 A2 04 00 00 00 00 90 00 6C
21 00 09 A0 CA 00 00 03 22 01 0E 06 6A
21 40 09 A0 CA 00 00 03 22 01 0F 06 2B
21 00 18 A0 CA 00 00 12 64 10 5C B3 4E 01 31 32 42 42 43 42 4E 41 38 33 33 50 03 F3
21 40 08 A0 CA 00 00 02 2A 00 42 69
21 00 48 A0 CA 00 00 42 2B 40 09 64 2B E7 C9 9C 92 36 EC A6 81 4F BF A0 70 80 C5 B1 1E D7 22 93 52 4C B9 75 C5 A5 83 B5 A5 E6 23 A7 C5 26 A7 25 45 04 D3 FA 53 17 44 1B 9D 40 30 0E AB 84 7F 49 A9 64 04 FC 1B D7 54 6E FB 33 02 BF
21 40 08 A0 CA 00 00 02 C0 00 06 C7



#####################################################################################################
#####################################################################################################
#section13.3 Stream
#Bootup sequence 0801
#####################################################################################################

0801 init seq
21 C1 01 3F 61 
12 E1 01 3F 72 
21 00 08 A0 CA 00 00 02 C0 00 06 87 
12 00 08 B0 04 73 03 00 00 90 00 4E 
21 40 08 A0 CA 00 00 02 C0 00 06 C7 
12 40 08 B0 04 73 01 00 00 90 00 0C 
21 00 08 A0 CA 00 00 02 12 00 06 55 
12 00 08 92 04 1B 28 35 9F 90 00 85 
21 40 08 A0 CA 00 00 02 15 00 08 1C 
12 40 0A 95 06 0E 55 55 60 0E 55 90 00 6E 
21 00 08 A0 CA 00 00 02 C7 00 04 82 
12 00 06 B7 02 FF FF 90 00 31 
21 40 09 A0 CA 00 00 03 22 01 00 39 1B 
12 40 3B A2 37 2A FF 90 00 00 08 01 01 ED 01 01 01 xx xx xx
         xx 00 00 00 01 77 20 1A 70 20 20 10 xx xx xx xx  
         33 33 33 33 33 33 33 33 44 44 44 44 00 00 00 00 
         00 00 00 00 00 00 00 00 90 00 E1 
21 00 09 A0 CA 00 00 03 22 01 80 39 DB 
12 00 3B A2 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 90 00 2C 
21 40 09 A0 CA 00 00 03 22 01 01 0E 2D 
12 40 10 A2 0C 0B E0 00 00 00 09 01 00 00 00 00 00 90 00 9F 
21 00 09 A0 CA 00 00 03 22 01 81 0E ED 
12 00 10 A2 0C 00 00 00 00 00 00 00 00 00 00 00 00 90 00 3C 
21 40 09 A0 CA 00 00 03 22 01 04 44 62 
12 40 46 A2 42 07 C0 00 00 00 08 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 90 00 AB 
21 00 09 A0 CA 00 00 03 22 01 84 44 A2 
12 00 46 A2 42 56 FF C0 00 00 09 00 00 13 24 2F BD 00 00 00 
         03 00 00 00 00 B4 00 20 5D 00 00 00 00 00 0F 00 
         00 0F 00 41 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 0A 18 88 29 23 05 9F FF 
         FF FF FF 90 00 60 
21 40 09 A0 CA 00 00 03 22 01 C4 59 BF 
12 40 5B A2 57 56 FF C0 00 00 09 00 00 13 24 2F BD 00 00 00 
         03 00 00 00 00 B4 00 20 5D 00 00 00 00 00 0F 00 
         00 0F 00 41 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 0A 18 88 29 23 05 9F FF 
         FF FF FF 14 B0 00 00 00 00 00 00 00 00 00 00 00 
         00 00 0F FF FF FF FF FF 90 00 7C 
21 00 09 A0 CA 00 00 03 22 01 84 44 A2 
12 00 46 A2 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 90 00 24 
21 40 09 A0 CA 00 00 03 22 01 08 55 7F 
12 40 57 A2 53 52 F0 00 00 00 08 01 08 FF 49 80 83 E8 00 B7 
         63 01 C8 B0 51 FC 8F 52 A6 2E CA 3A 5E 43 69 67 
         CC 9C 33 5E 34 02 83 CC 84 3F 66 42 3C DE 12 3D 
         A1 23 AE 0E 85 31 2B B5 C9 47 7E 9D AB 96 BA B9 
         1A F9 19 F5 3B E5 FF B2 2D 15 DF 05 91 AB DF EA 
         B0 AF 3B 35 90 00 01 
21 00 09 A0 CA 00 00 03 22 01 88 55 BF 
12 00 57 A2 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 90 00 24 
21 40 09 A0 CA 00 00 03 22 01 03 1C 3D 
12 40 1E A2 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 90 00 64 
21 00 09 A0 CA 00 00 03 22 01 06 13 77 
12 00 15 A2 11 08 E0 00 00 00 08 01 20 00 00 00 00 00 00 00 
         00 00 90 00 E5 
21 40 09 A0 CA 00 00 03 22 01 86 13 B7 
12 40 15 A2 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 90 00 64 
21 00 09 A0 CA 00 00 03 22 01 07 20 45 
12 00 22 A2 1E 18 FC 00 00 00 09 01 01 13 FA A8 BE 00 00 00 
         00 00 0A 00 00 00 32 FF FF FF 00 00 00 00 00 90 
         00 C9 
21 40 09 A0 CA 00 00 03 22 01 87 20 85 
12 40 22 A2 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 
         00 5C 
21 00 09 A0 CA 00 00 03 22 01 02 2F 4F 
12 00 31 A2 2D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 
         3C 
21 40 09 A0 CA 00 00 03 22 01 05 57 70 
12 40 59 A2 55 1E FF 88 00 00 09 01 01 00 00 01 55 00 00 00 
         00 01 00 12 92 00 00 36 38 A8 BE 15 36 FF 00 FF 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 90 00 E2 
21 00 09 A0 CA 00 00 03 22 01 85 57 B0 
12 00 59 A2 55 1E FF 88 00 00 09 01 01 00 00 CF 55 00 00 00 
         01 12 00 12 92 00 00 36 38 A8 BE 7F FF FF 00 FF 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 90 00 DD
21 40 09 A0 CA 00 00 03 22 01 85 57 F0 
12 40 59 A2 55 1E FF 88 00 00 09 01 01 00 00 CF 55 00 00 00 
         00 01 00 12 92 00 00 36 38 A8 BE 5F FF FF 00 FF 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 90 00 AF 
21 00 09 A0 CA 00 00 03 22 01 85 57 B0 
12 00 59 A2 55 1E FF 88 00 00 09 01 01 00 00 CF 55 00 00 00 
         01 12 00 12 92 00 00 36 38 A8 BE FF 00 FF 00 FF 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 90 00 A2 
21 40 09 A0 CA 00 00 03 22 01 85 57 F0 
12 40 59 A2 55 1E FF 88 00 00 09 01 01 00 00 CF 55 00 00 00 
         01 58 00 12 E0 00 00 36 38 A8 BE 02 94 FF 00 FF 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 90 00 B3 
21 00 09 A0 CA 00 00 03 22 01 85 57 B0 
12 00 59 A2 55 1E FF 88 00 00 09 01 01 00 00 1A 55 00 00 BE 
         01 12 00 12 92 00 00 36 38 A8 BE FF 00 FF 00 FF 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 90 00 C9
21 40 09 A0 CA 00 00 03 22 01 85 57 F0 
12 40 59 A2 55 1E FF 88 00 00 09 01 01 00 00 D1 55 00 00 00 
         00 00 00 12 92 00 00 36 38 A8 BE FF FF FF 00 FF 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 90 00 10 
21 00 09 A0 CA 00 00 03 22 01 85 57 B0 
12 00 59 A2 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
         00 00 00 00 00 00 90 00 2C 
21 40 09 A0 CA 00 00 03 22 01 09 06 2D 
12 40 08 A2 04 00 00 00 00 90 00 6C 
21 00 09 A0 CA 00 00 03 22 01 0A 06 6E 
12 00 08 A2 04 00 00 00 00 90 00 2C 
21 40 09 A0 CA 00 00 03 22 01 0B 06 2F 
12 40 08 A2 04 00 00 00 00 90 00 6C 
21 00 09 A0 CA 00 00 03 22 01 0C 06 68 
12 00 08 A2 04 00 00 00 00 90 00 2C 
21 40 09 A0 CA 00 00 03 22 01 0D 06 29 
12 40 08 A2 04 00 00 00 00 90 00 6C 
21 00 09 A0 CA 00 00 03 22 01 0E 06 6A 
12 00 08 A2 04 00 00 00 00 90 00 2C 
21 40 09 A0 CA 00 00 03 22 01 0F 06 2B 
12 40 08 A2 04 00 00 00 00 90 00 6C 
21 00 18 A0 CA 00 00 12 64 10 49 B4 CB 01 31 34 41 42 43 53 
         46 41 45 35 30 39 03 69 
12 00 05 E4 01 00 90 00 62 
21 40 08 A0 CA 00 00 02 2A 00 42 69 
12 40 44 AA 40 BB 3C 50 19 19 3A 59 23 39 48 1C DB D3 61 1C 
         1C AB B8 1C E1 D9 68 9F 75 EC 2D 3C FF 1E 3F 87 
         C1 51 C5 80 58 E0 9E 5D 22 B2 2D CC F5 BE 07 9A 
         5E 57 F0 BC 89 A1 96 4A BD A6 80 10 F0 53 83 79 
         59 90 00 DD 
21 00 48 A0 CA 00 00 42 2B 40 76 BB 16 32 9E E9 08 CB A8 81 
         DB F0 D3 FD FA 10 D4 8C 0F 31 DE 08 BC E2 A2 9D 
         DC 56 34 D9 D2 AC 7A 8C 59 F0 AA C0 A7 EF 20 10 
         DF 5A 60 F4 08 EC B0 47 A6 A5 23 48 24 DE C5 48 
         FF 6A 42 8C 28 6A 02 32 
12 00 04 AB 00 90 00 2D 


#####################################################################################################
#####################################################################################################
#section13.4 Stream
#Bootup sequence 0801 cut
#####################################################################################################

0801 stripped init seq
21 C1 01 3F 61  
21 00 08 A0 CA 00 00 02 C0 00 06 87 
21 40 08 A0 CA 00 00 02 C0 00 06 C7 
21 00 08 A0 CA 00 00 02 12 00 06 55 
21 40 08 A0 CA 00 00 02 15 00 08 1C 
21 00 08 A0 CA 00 00 02 C7 00 04 82 
21 40 09 A0 CA 00 00 03 22 01 00 39 1B 
21 00 09 A0 CA 00 00 03 22 01 80 39 DB 
21 40 09 A0 CA 00 00 03 22 01 01 0E 2D 
21 00 09 A0 CA 00 00 03 22 01 81 0E ED 
21 40 09 A0 CA 00 00 03 22 01 04 44 62 
21 00 09 A0 CA 00 00 03 22 01 84 44 A2 
21 40 09 A0 CA 00 00 03 22 01 C4 59 BF 
21 00 09 A0 CA 00 00 03 22 01 84 44 A2 
21 40 09 A0 CA 00 00 03 22 01 08 55 7F 
21 00 09 A0 CA 00 00 03 22 01 88 55 BF 
21 40 09 A0 CA 00 00 03 22 01 03 1C 3D 
21 00 09 A0 CA 00 00 03 22 01 06 13 77 
21 40 09 A0 CA 00 00 03 22 01 86 13 B7 
21 00 09 A0 CA 00 00 03 22 01 07 20 45 
21 40 09 A0 CA 00 00 03 22 01 87 20 85 
21 00 09 A0 CA 00 00 03 22 01 02 2F 4F 
21 40 09 A0 CA 00 00 03 22 01 05 57 70 
21 00 09 A0 CA 00 00 03 22 01 85 57 B0 
21 40 09 A0 CA 00 00 03 22 01 85 57 F0 
21 00 09 A0 CA 00 00 03 22 01 85 57 B0 
21 40 09 A0 CA 00 00 03 22 01 85 57 F0 
21 00 09 A0 CA 00 00 03 22 01 85 57 B0 
21 40 09 A0 CA 00 00 03 22 01 85 57 F0 
21 00 09 A0 CA 00 00 03 22 01 85 57 B0 
21 40 09 A0 CA 00 00 03 22 01 09 06 2D 
21 00 09 A0 CA 00 00 03 22 01 0A 06 6E 
21 40 09 A0 CA 00 00 03 22 01 0B 06 2F 
21 00 09 A0 CA 00 00 03 22 01 0C 06 68 
21 40 09 A0 CA 00 00 03 22 01 0D 06 29 
21 00 09 A0 CA 00 00 03 22 01 0E 06 6A 
21 40 09 A0 CA 00 00 03 22 01 0F 06 2B 
21 00 18 A0 CA 00 00 12 64 10 49 B4 CB 01 31 34 41 42 43 53 46 41 45 35 30 39 03 69 
21 40 08 A0 CA 00 00 02 2A 00 42 69 
21 00 48 A0 CA 00 00 42 2B 40 76 BB 16 32 9E E9 08 CB A8 81 DB F0 D3 FD FA 10 D4 8C 0F 31 DE 08 BC E2 A2 9D DC 56 34 D9 D2 AC 7A 8C 59 F0 AA C0 A7 EF 20 10 DF 5A 60 F4 08 EC B0 47 A6 A5 23 48 24 DE C5 48 FF 6A 42 8C 28 6A 02 32 


#####################################################################################################

#####################################################################################################
#####################################################################################################
#Section13.8
#13.8Nagra_2_configv1.1.cfg for T-Rex Nagra-Tool
#####################################################################################################

----> Card Setup <----
Port:COM1:
Speed:115200:

----> Backdoor Keys <----

----> Commands to card <----
Card-INS:04            :21 00 6D A0 CA 00 00 67 04 65 09 01 81 00 10 F5 F9 5D DE 10 A6 5D FB 28 9D 78 5C 10 E1 CA 38 1B A6 45 7E 9E 28 2C C6 3F E2 90 1A 8F 64 DF EA 20 34 E5 AD BB 94 E5 05 8B A0 7B 22 51 20 47 98 52 43 64 9E 55 7B 4E B6 93 F5 45 1F 09 2D C7 FD 5D A4 C0 87 1B E3 B1 1E 8B B7 74 BC 90 C9 00 42 A1 09 BF D0 76 EF 7D 10 58 AB 77 FE 71 61 9B BB 02 CA :
Card-INS:05            :21 00 08 A0 CA 00 00 00 05 00 05 43 :
Card-INS:07            :21 00 4D A0 CA 00 00 47 07 45 01 01 86 00 88 46 FE 13 E9 56 82 74 E1 6A 25 B4 75 9A 11 D3 B2 52 EC 50 6A 5C 19 83 E7 48 B4 65 4C A5 47 2F 84 E6 C3 0B 16 A4 9A 4E AE B7 01 41 0E E6 54 D8 2C BC 9E 9B 5E 24 E6 48 CF 96 A9 E1 76 1A 2D F0 89 02 4C :
Card-INS:08            :21 00 08 A0 CA 00 00 00 08 00 04 4F :
Card-INS:15            :21 00 08 A0 CA 00 00 02 15 00 08 5C :
Card-INS:16            :21 00 08 A0 CA 00 00 00 16 00 04 51 :
Card-INS:17            :21 00 08 A0 CA 00 00 00 17 00 02 56 :
Card-INS:18            :21 00 08 A0 CA 00 00 00 18 00 02 59 :
Card-INS:19            :21 00 08 A0 CA 00 00 00 19 00 04 5E :
Card-INS:1A            :21 00 08 A0 CA 00 00 02 1A 00 00 5B :
Card-INS:1C            :21 00 08 A0 CA 00 00 02 1C 00 36 6B :
Card-INS:22/01/00      :21 00 09 A0 CA 00 00 03 22 01 00 39 5B :
Card-INS:22/01/01      :21 00 09 A0 CA 00 00 03 22 01 01 0E 6D :
Card-INS:22/01/02      :21 00 09 A0 CA 00 00 03 22 01 02 2F 4F :
Card-INS:22/01/04      :21 00 09 A0 CA 00 00 03 22 01 04 44 22 :
Card-INS:22/01/05      :21 00 09 A0 CA 00 00 03 22 01 05 57 30 :
Card-INS:22/01/06      :21 00 09 A0 CA 00 00 03 22 01 06 13 77 :
Card-INS:22/01/07      :21 00 09 A0 CA 00 00 03 22 01 07 20 45 :
Card-INS:22/01/08      :21 00 09 A0 CA 00 00 03 22 01 08 55 3F :
Card-INS:22/01/09      :21 00 09 A0 CA 00 00 03 22 01 09 06 6D :
Card-INS:22/01/0A      :21 00 09 A0 CA 00 00 03 22 01 0A 06 6E :
Card-INS:22/01/0B      :21 00 09 A0 CA 00 00 03 22 01 0B 06 6F :
Card-INS:22/01/0C      :21 00 09 A0 CA 00 00 03 22 01 0C 06 68 :
Card-INS:22/01/0D      :21 00 09 A0 CA 00 00 03 22 01 0D 06 69 :
Card-INS:22/01/0E      :21 00 09 A0 CA 00 00 03 22 01 0E 06 6A :
Card-INS:22/01/0F      :21 00 09 A0 CA 00 00 03 22 01 0F 06 6B :
Card-INS:22/01/1C      :21 00 09 A0 CA 00 00 03 22 01 03 1C 7D :
Card-INS:22/01/88      :21 00 09 A0 CA 00 00 03 22 01 88 55 BF :
Card-INS:22/01/87      :21 00 09 A0 CA 00 00 03 22 01 87 20 C5 :
Card-INS:22/01/80      :21 00 09 A0 CA 00 00 03 22 01 80 39 DB :
Card-INS:22/01/81      :21 00 09 A0 CA 00 00 03 22 01 81 0E ED :
Card-INS:22/01/86      :21 00 09 A0 CA 00 00 03 22 01 86 13 F7 :
Card-INS:22/01/84      :21 00 09 A0 CA 00 00 03 22 01 84 44 A2 :
Card-INS:22/01/85      :21 00 09 A0 CA 00 00 03 22 01 85 57 B0 :
Card-INS:22/01/C4AJUST :21 00 09 A0 CA 00 00 03 22 01 C4 ZZ ZZ :
Card-INS:22/01/C8      :21 00 09 A0 CA 00 00 03 22 01 C8 55 FF :
Card-INS:26            :21 00 0D A0 CA 00 00 07 26 05 AA AA AA AA AA 42 8A :
Card-INS:27            :21 00 4D A0 CA 00 00 47 27 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 21 :
Card-INS:28            :21 00 09 A0 CA 00 00 03 28 00 00 1A 73 :
Card-INS:29            :21 00 08 A0 CA 00 00 02 29 00 04 6C :
Card-INS:2A            :21 40 08 A0 CA 00 00 02 2A 00 42 69 :
Card-INS:2B            :21 00 48 A0 CA 00 00 42 2B 40 09 64 2B E7 C9 9C 92 36 EC A6 81 4F BF A0 70 80 C5 B1 1E D7 22 93 52 4C B9 75 C5 A5 83 B5 A5 E6 23 A7 C5 26 A7 25 45 04 D3 FA 53 17 44 1B 9D 40 30 0E AB 84 7F 49 A9 64 04 FC 1B D7 54 6E FB 33 02 BF :
Card-INS:2C            :21 00 08 A0 CA 00 00 02 2C 00 42 2F :
Card-INS:2D            :21 00 48 A0 CA 00 00 42 2D 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 2F :
Card-INS:32            :21 00 0B A0 CA 00 00 05 32 03 09 00 05 03 7B :
Card-INS:33            :21 00 08 A0 CA 00 00 02 33 00 6C 73 :
Card-INS:48            :21 00 08 A0 CA 00 00 02 48 00 00 09 :
Card-INS:49            :21 00 08 A0 CA 00 00 02 49 00 86 8E :
Card-INS:xxxxxxxx80    :20 90 00 B1 :
Card-INS:xxxxxxxx80    :20 80 00 A1 :
Card-INS:4A            :21 00 08 A0 CA 00 00 02 4A 00 04 0F :
Card-INS:4B            :21 00 08 A0 CA 00 00 02 4B 00 04 0E :
Card-INS:64            :21 00 18 A0 CA 00 00 12 64 10 5C B3 4E 01 31 32 42 42 43 42 4E 41 38 33 33 50 03 F3 :
Card-INS:65            :21 00 08 A0 CA 00 00 02 65 00 52 76 :
Card-INS:68            :21 00 08 A0 CA 00 00 00 68 00 03 28 :
Card-INS:69            :21 00 08 A0 CA 00 00 02 69 00 02 2A :
Card-INS:6A            :21 00 0A A0 CA 00 00 04 6A 00 00 00 02 2D :
Card-INS:6B            :21 00 0D A0 CA 00 00 07 6B 05 00 00 00 00 00 02 2D :
Card-INS:6C            :21 00 09 A0 CA 00 00 03 6C 01 00 02 2E :
Card-INS:6E            :21 00 08 A0 CA 00 00 02 6E 00 04 2B :
Card-INS:C0            :21 00 08 A0 CA 00 00 02 C0 00 06 87 :
Card-INS:C4            :21 00 08 A0 CA 00 00 02 C4 00 02 87 :
Card-INS:C7            :21 00 08 A0 CA 00 00 02 C7 00 04 82 :
Card-INS:C8            :21 00 08 A0 CA 00 00 02 C8 00 06 8F :
Card-INS:C9            :21 00 08 A0 CA 00 00 00 C9 00 04 8E :
Card-INS:21C000E1RsyncRQ :21C000E1 :
Card-INS:21C1016485IFS :21C1016485 :
Card-INS:21E100C0RSIFS :21E100C0 :
Card-INS:21C200E3ABORT :21C200E3 :
Card-INS:21E300C2WTXRS :21E300C2 :
Card-INS:21E400C5ResyncRS :21E400C5 :


Card-INS:ifsA0            :21 C1 01 A0 41 :
Card-INS:Read Emmbuff:21 40 07 A0 BB 00 00 02 15 00 6A :
Card-INS:Exec at 0x0088:21 00 07 A0 FF 00 00 02 48 00 33 :

#####################################################################################################
#####################################################################################################
#Section13.9
#13.9: DASM ECGS102F_ROM102_NO1B4ME_ND13_DUMPROM_V5.xvb
#####################################################################################################
AD 38 4A AD 1D 26 FB 71 00 CD 5A 7D 30 00 01 52 AD 2A 3C 8D 26 F3 3C 8C 26 EF 3C 88 A6 80 B7 8C 20 E5 B7 52 A6 F0 4A 26 FD B6 52 81 9D 9D 9D 9D 9D 9D 9D 9D 9D 9B A6 55 20 C6 B7 52 4F AD E7 AE 0A 43 11 00 AD DC 20 00 10 00 AD D6 98 25 04 11 00 20 04 10 00 20 00 AD C9 48 5A 26 F0 10 00 81 02


0080: AD 38        bsr $BA              ; Go to subroutine
0082: 4A           deca                 ; a--
0083: AD 1D        bsr EMMBUFF+22       ; Go to subroutine
0085: 26 FB        bne EMMBUFF+2        ; Branch if <>
0087: 71  00         ldp 00              ; Load  into paging register

0089: CD 5A 7D     jsr Copy_RAM_to_ZP   ; Move N bytes of memory from RAM Address to ZP
008C: .dw 30 00                         ; AddressH:L
008E: .db 01                            ; Bytes Count
008F: .db 52                            ; DestinationZP

0090: AD 2A        bsr $BC              ; Go to subroutine
0092: 3C 8D        inc EMMBUFF+D        ; +=1
0094: 26 F3        bne EMMBUFF+9        ; Branch if <>
0096: 3C 8C        inc EMMBUFF+C        ; +=1
0098: 26 EF        bne EMMBUFF+9        ; Branch if <>
009A: 3C 88        inc EMMBUFF+8        ; +=1
009C: A6 80        lda #$80             ; Load in A
009E: B7 8C        sta EMMBUFF+C        ; Store A in...
00A0: 20 E5        bra EMMBUFF+7        ; Branch always
00A2: B7 52        sta PCB              ; Store A in...
00A4: A6 F0        lda #$F0             ; Load in A
00A6: 4A           deca                 ; a--
00A7: 26 FD        bne EMMBUFF+26       ; Branch if <>
00A9: B6 52        lda PCB              ; Load in A
00AB: 81           rts                  ; Return from subroutine

00AC: 9D           nop                  ; No operation
00AD: 9D           nop                  ; No operation
00AE: 9D           nop                  ; No operation
00AF: 9D           nop                  ; No operation
00B0: 9D           nop                  ; No operation
00B1: 9D           nop                  ; No operation
00B2: 9D           nop                  ; No operation
00B3: 9D           nop                  ; No operation
00B4: 9D           nop                  ; No operation
00B5: 9B           sei                  ; I <-- 1
00B6: A6 55        lda #$55             ; Load in A
00B8: 20 C6        bra EMMBUFF          ; Branch always
00BA: B7 52        sta PCB              ; Store A in...
00BC: 4F           clra                 ; a <-- 0
00BD: AD E7        bsr EMMBUFF+26       ; Go to subroutine
00BF: AE 0A        ldx #$0A             ; Load in X
00C1: 43           coma                 ; One's complement of A
00C2: 11 00        bclr0 IOREG          ; Bit 0 <-- 0
00C4: AD DC        bsr EMMBUFF+22       ; Go to subroutine
00C6: 20 00        bra byte_C8          ; Branch always
00C8: 10 00        bset0 IOREG          ; Bit 0 <-- 1
00CA: AD D6        bsr EMMBUFF+22       ; Go to subroutine
00CC: 98           clc                  ; C <-- 0
00CD: 25 04        bcs $D3              ; Branch if C=1
00CF: 11 00        bclr0 IOREG          ; Bit 0 <-- 0
00D1: 20 04        bra $D7              ; Branch always
00D3: 10 00        bset0 IOREG          ; Bit 0 <-- 1
00D5: 20 00        bra $D7              ; Branch always
00D7: AD C9        bsr EMMBUFF+22       ; Go to subroutine
00D9: 48           lsla                 ; a << 1
00DA: 5A           decx                 ; x--
00DB: 26 F0        bne $CD              ; Branch if <>
00DD: 10 00        bset0 IOREG          ; Bit 0 <-- 1
00DF: 81           rts                  ; Return from subroutine

 BYTES DUMP:
---------------------
00E0: 02


#####################################################################################################
#####################################################################################################
#section
#DASM ROM102_ND13_A0FF-INTERCEPT-autoVCC_20.XVB
#####################################################################################################

0080: 9D           nop                  ; No operation
0081: 9D           nop                  ; No operation
0082: 9D           nop                  ; No operation
0083: 9D           nop                  ; No operation
0084: 9D           nop                  ; No operation
0085: 9D           nop                  ; No operation
0086: 9D           nop                  ; No operation
0087: 9D           nop                  ; No operation

0088: A6 4B        lda #$4B             ; Load in A
008A: B7 6B        sta EEWRITEOKBITS    ; Store A in...
008C: 18 64        bset4 STATS5         ; Bit 4 <-- 1
008E: CD 7C 16     jsr $7C16            ; Go to subroutine
		   	82 19		;Dst
			BE		;RamSrc
			0C		;Len

0095: A6 4B        lda #$4B             ; Load in A
0097: B7 6B        sta EEWRITEOKBITS    ; Store A in...
0099: 18 64        bset4 STATS5         ; Bit 4 <-- 1
009B: CD 7C 16     jsr $7C16            ; Go to subroutine
			31 7F		;Dst
			A5		;RamSrc
			04		;Len

00A2: CC 7A 99     jmp SW6F00           ; Jump

00A5:			60 DB		;DATA
			82 19
00A9: 9D           nop                  ; No operation
00AA: 9D           nop                  ; No operation
00AB: 9D           nop                  ; No operation
00AC: 9D           nop                  ; No operation
00AD: 9D           nop                  ; No operation
00AE: 9D           nop                  ; No operation
00AF: 9D           nop                  ; No operation
00B0: 9D           nop                  ; No operation
00B1: 9D           nop                  ; No operation
00B2: 9D           nop                  ; No operation
00B3: 9D           nop                  ; No operation
00B4: 9D           nop                  ; No operation
00B5: 9D           nop                  ; No operation
00B6: 9D           nop                  ; No operation
00B7: 9D           nop                  ; No operation
00B8: 9D           nop                  ; No operation
00B9: 9D           nop                  ; No operation
00BA: 9D           nop                  ; No operation
00BB: 9D           nop                  ; No operation
00BC: BC 80        jmp EMMBUFF          ; Jump

DATA
00BE: 17 63        bclr3 STATS2         ; Bit 3 <-- 0
00C0: A1 CA        cmp #$CA             ; Compare with A
00C2: 26 03        bne $C7              ; Branch if <>
00C4: CC 60 EC     jmp ClaA0InsCA       ; Jump
00C7: CC 7D 99     jmp JP_EMMBUFF08     ; Jump

####################################################################################################
####################################################################################################
#Read Write Execution routine at emmbuf88
####################################################################################################
TX: 21 00 6D A0 CA 00 00 67 04 65 01 01 86 00 AA 9D 9D 9D 9D 9D 9D 9D 9D 71 80 CD 5A C0 30 00 0D F8 80 B6 91 B7 4C CD 45 05 CC 7A 95 9d 9d 9d 9d 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 02 9F

RX: 12 00 04 84 00 90 00 02

TX: 21 00 07 A0 FF 00 00 02 48 00 33

RX: 3E F8 A2 B2 48 05 A7 00 A9 00 00 00 00 0C 00 00 00 32 79 32 93 2C 18 00 00 00 00 FF 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7F D9 F1 EB 72 E0 BF 8B B5 A0 96 F8 34 13 84 DF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 40 02 90 00 C0

Read
0080: 9D           nop                  ; No operation
0081: 9D           nop                  ; No operation
0082: 9D           nop                  ; No operation
0083: 9D           nop                  ; No operation
0084: 9D           nop                  ; No operation
0085: 9D           nop                  ; No operation
0086: 9D           nop                  ; No operation
0087: 9D           nop                  ; No operation
0088: 71  80         ldp 80               ; Load  into paging register

008A: CD 5A C0     jsr Copy_to_RAM      ; Copy 4N byte
008D: .db 30                            ; SourceH
008E: .db 00                            ; SourceL
008F: .db 0D                            ; DestH
0090: .db F8                            ; DestL
0091: .db 80                            ; Bytes Count

0092: B6 91        lda EMMBUFF+11       ; Load in A
0094: B7 4C        sta RC3ADDR          ; Store A in...
0096: CD 45 05     jsr SendBytesATRC1   ; 0

0099: CC 7A 95     jmp SW9000_0         ; Send SW9000
###################################################################################################################
TEST ON RAM
Ram dump Start at 0x0080 80Len

9D 9D 9D 9D 9D 9D 9D 9D 71 80 CD 5A C0 00 80 0D F8 80 B6 91 B7 4C CD 45 05 CC 7A 95 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 40 02 90 00 C0 01 01 07 00 00 00 E0 F2 12 00 E4 F4 12 00 BB F4 D1 77 56 00 01 01 00 00 00 00 00

Ram dump Start at 0x0500 80Len
00 EB 8C 31 28 C3 9D 20 00 EB 8C 31 28 C3 9D 20 02 6D F0 0C 0E 61 FC 00 02 6D F0 0C 0E 61 FC 00 00 EB 8C 31 28 C3 9D 20 00 EB 8C 31 28 C3 9D 20 02 6D F0 0C 0E 61 FC 00 02 6D F0 0C 0E 61 FC 00 00 EB 8C 31 28 C3 9D 20 00 EB 8C 31 28 C3 9D 20 02 6D F0 0C 0E 61 FC 00 02 6D F0 0C 0E 61 FC 00 00 EB 8C 31 28 C3 9D 20 00 EB 8C 31 28 C3 9D 20 02 6D F0 0C 0E 61 FC 00 02 6D F0 0C 0E 61 FC 00 12 40 02 90 00 C0 01 34 07 00 00 00 E0 F2 12 00 

0800
00 EF 14 AB 4A A5 9D 22 00 EF 14 AB 4A A5 9D 22 12 6D 99 64 57 28 FD 00 

0900
00 ED 10 2F 48 A5 19 26 01 EC 14 2B 49 A4 1D 22 00 7E 08 B5

0A00
00 76 D0 0A 00 76 D0 0A 04 72 D2 08 04 72 D2 08 00 D9 4A 21 00 D9 4A 21 10 C9 4B 20 10 C9 4B 20 40 36 D8 02 40 36 D8 02 44 32 DA 00 44 32 DA 00 40 99 6A 01 40 99 6A 01 50 89 6B 00 50 89 6B 00 00 76 D0 0A 00 76 D0 0A 04 72 D2 08 04 72 D2 08 00 D9 4A 21 00 D9 4A 21 10 C9 4B 20 10 C9 4B 20 40 36 D8 02 40 36 D8 02 44 32 DA 00 44 32 DA 00 40 99 6A 01 40 99 6A 01 50 89 6B 00 50 89 6B 00 12 40 02 90 00 C0 00 00 80 F3 12 00 73 1A 49 00 4C A8 4C 00 B8 02 03 00 20 00 00 00 BC 02 03 00 01 00 01 02 80 F3 12 00 30 F4 12 00 B8 F3 12 00 E4 A8 98 00 BC 23 49 00 4C A8 4C 00 00 00 00 00 6D 00 00 00 30 F4 12 00 30 F4 12 00 B8 F3 12 00 E4 A8 98 00 

0A80
00 75 50 0E 01 74 54 0A 00 75 50 0E 01 74 54 0A 10 E8 0B A0 30 C8 8B 20 10 E8 0B A0 30 C8 8B 20 40 35 58 06 41 34 5C 02 40 35 58 06 41 34 5C 02 50 A8 2B 80 70 88 AB 00 50 A8 2B 80 70 88 AB 00 00 75 50 0E 01 74 54 0A 00 75 50 0E 01 74 54 0A 10 E8 0B A0
##################################################################################################################
#####################################################################################################
#####################################################################################################
#section
#Penga Blockerv7 Backdoor dasm
#####################################################################################################

8219: 17 63        bclr3 STATS2         ; Bit 3 <-- 0
821B: A1 CA        cmp #$CA             ; Compare with A
821D: 26 06        bne $8225            ; Branch if <>
821F: CC 60 EC     jmp ClaA0InsCA       ; 0
8222: CC 7D 99     jmp JP_EMMBUFF08 

8225: 71 80          ldp $80              ; Load $ into paging register
8227: CD 5A C0     jsr Copy_to_RAM      ; Copy 4N byte
822A: .db 82                            ; SourceH
822B: .db 60                            ; SourceL
822C: .db 01                            ; DestH
822D: .db 70                            ; DestL
822E: .db 08                            ; Bytes Count
822F: AE 07        ldx #$07             ; Load in X

8231: D6 0D FA     lda $0DFA, X         ; Load in A
8234: D1 01 70     cmp $0170, X         ; Compare with A
8237: 26 06        bne $823F            ; Branch if <>
8239: 5A           decx                 ; x--
823A: 2A F5        bpl $8231            ; Branch if >0
823C: 9D           nop                  ; No operation
823D: 20 03        bra $8242            ; Branch always

823F: CC 7A 99     jmp SW6F00           ; 0

8242: A6 03        lda #$03             ; Load in A
8244: B7 90        sta EMMBUFF+10       ; Store A in...
8246: A6 4B        lda #$4B             ; Load in A
8248: B7 6B        sta EEWRITEOKBITS    ; Store A in...
824A: 18 64        bset4 STATS5         ; Bit 4 <-- 1
824C: CD 7C 16     jsr Jmp_WriteRowEE_AfromXtoRC1_init; Copy 4N byte
824F: .dw 82 1E                         ; DST
8251: .db 90                            ; SRC
8252: .db 01                            ; LEN

8253: CC 7A 95     jmp SW9000_0         ; Send SW9000

DATA
8260: AA BB CC DD AA BB CC DD

#####################################################################################################
#####################################################################################################
#section
#Penga Blockerv7 emmhandler dasm
#####################################################################################################

9000: B6 92        lda EMMBUFF+12       ; Load in A
9002: C7 0B 00     sta $0B00            ; Store A in...
9005: 71           ldp $80               ; Load $ into paging register


9007: CD 5A C0     jsr Copy_to_RAM      ; Copy 4N byte
900A: .db 91                            ; SourceH
900B: .db 00                            ; SourceL
900C: .db 0B                            ; DestH
900D: .db 10                            ; DestL
900E: .db 20                            ; Bytes Count

900F: C6 0B 00     lda $0B00            ; Load in A
9012: AE 20        ldx #$20             ; Load in X
9014: D1 0B 0F     cmp $0B0F, X         ; Compare with A
9017: 27 08        beq $9021            ; Branch if =
9019: 5A           decx                 ; x--
901A: 2A F8        bpl $9014            ; Branch if >0
901C: A6 00        lda #$00             ; Load in A
901E: CC 95 79     jmp GOEMMEND         ; 0


9021: B6 92        lda EMMBUFF+12       ; Load in A
9023: 9D           nop                  ; No operation
9024: 9D           nop                  ; No operation
9025: 87           eret                 ; eret

###############################################
3CTRUCM
9000: 89           push x               ; Stack <- X
9001: 8A           push cc              ; Stack <- CC
9002: 90 89        push y                  ; Stack <- y
9004: 71           ldp $X               ; Load # into paging register
9005: 80           rti                  ; Return from interrupt
9006: CD 5A C0     jsr Copy_to_RAM      ; Copy 4N byte
9009: .db 91                            ; SourceH
900A: .db 00                            ; SourceL
900B: .db 0B                            ; DestH
900C: .db 10                            ; DestL
900D: .db 20                            ; Bytes Count

900E: 71           ldp $X               ; Load # into paging register
900F: 00 B6 92     brset0 $B6, $8FA4    ; Branch if bit 0 set
9012: AE 20        ldx #$20             ; Load in X
9014: D1 0B 0F     cmp $0B0F, X         ; Compare with A
9017: 27 08        beq $9021            ; Branch if =
9019: 5A           decx                 ; x--
901A: 2A F8        bpl $9014            ; Branch if >0
901C: A6 00        lda #$00             ; Load in A
901E: CC 95 79     jmp GOEMMEND         ; 0


9021: 85           pop x                ; Stack -> X
9022: 86           pop cc               ; Stack -> CC
9023: 90 85        pop y                   ; Stack -> y
9025: B6 92        lda EMMBUFF+12       ; Load in A
9027: 87           eret                 ; eret

#####################################################################################################
#####################################################################################################
#v22
#####################################################################################################

9000: 71 80	   ldp #$80
9002: 89           push x               ; Stack <- X
9003: AE 0F        ldx #$0F             ; Load in X
9005: B6 92        lda EMMBUFF+12       ; Load in A
9007: D1 90 40     cmp $9040, X         ; Compare with A
900A: 27 14        beq $9020            ; Branch if =
900C: 5A           decx                 ; x--
900D: 2A F6        bpl $9005            ; Branch if >0
900F: 9D           nop                  ; No operation
9010: 71 00        ldp $X               ; Load  into paging register
9012: 85           pop x                ; Stack -> X
9013: 3F 92        clr EMMBUFF+12       ; <-- 0
9015: A6 00        lda #$00             ; Load in A
9017: CC 55 D3     jmp $55D3            ; Jump
901A: 9D 9D 9D 9D 9D 9D 

9020: 71 00        ldp $X               ; Load  into paging register

9022: B6 92        lda EMMBUFF+12       ; Load in A
9024: A1 B1        cmp #$B1             ; Compare with A
9026: 26 02        bne $902A            ; Branch if <>
9028: 20 E8        bra $9012            ; Branch always
902A: 85           pop x                ; Stack -> X
902B: 87           eret                 ; eret

################################################################
22sk DASM
610A 91C0 Command33_FirstEntryPoint
A848 9120

$3170=40038800301001142800801A80000095
$3180=999000008859807500812B80A0008AB3
$3190=80C80060DB821900610A91C000A84891
$31A0=20000000000000000000000000000000

; Add P and Q
$9120=88C60DFDA12B2706A12A270284879D9D
$9130=7180CD5AC092900220207180CD5AC092
$9140=B0026020710084870000000000000000
$9150=00000000000000000000000000000000
$9160=00000000000000000000000000000000
$9170=00000000000000000000000000000000
$9180=00000000000000000000000000000000
$9190=00000000000000000000000000000000
$91A0=00000000000000000000000000000000
$91B0=00000000000000000000000000000000
$91C0=A12A2602871AA12B26022007A1222602
$91D0=202E879D870000000000000000000000
$91E0=12607180CD5AC092D00DFA60A6047100
$91F0=CC650687AA40002A0000000000000000
$9200=C60DFFA1082704C60DFD879D9D9D9D9D
$9210=7180CD5AC092310DFA60A60471009D9D
$9220=A6A2AE53CC647EA25300220108000000
$9230=0052F0000000000108FF490000000000

; CMD 220108 SEND ALL 000000000 SK SETUP
; MSB
$923B100

; CMD 08
$923C=00000000000000000000000000000000
$924C=00000000000000000000000000000000
$925C=00000000000000000000000000000000
$926C=00000000000000000000000000000000
$927C=00000000000000000000000000000000


; CMD 2B byteflopped P $0220 RAM
$9290=6DC7AB5EDB9206A83951435CA4D0488E
$92A0=D33DE9134B632F88E36457C857BCF0EC

; CMD 2B byteflopped Q $0260 RAM
$92B0=ED21108BEC33DD1161636A377610402E
$92C0=890C5AA16B3EEF602ADA5422BA3045DF
###############################################################
;Add P Q Module
9120: 88           push a               ; Stack <- A
9121: C6 0D FD     lda IOBUFFER+5       ; Load in A
9124: A1 2B        cmp #$2B             ; Compare with A
9126: 27 06        beq $912E            ; Branch if =
9128: A1 2A        cmp #$2A             ; Compare with A
912A: 27 02        beq $912E            ; Branch if =
912C: 84           pop a                ; Stack -> A
912D: 87           eret                 ; eret
912E: 9D           nop                  ; No operation
912F: 9D           nop                  ; No operation
9130: 71 80        ldp #$80             ; Load  into paging register

9132: CD 5A C0     jsr Copy_to_RAM      ; Copy 4N byte
9135: .db 92                            ; SourceH
9136: .db 90                            ; SourceL
9137: .db 02                            ; DestH
9138: .db 20                            ; DestL
9139: .db 20                            ; Bytes Count

913A: 71 80        ldp #$80             ; Load  into paging register

913C: CD 5A C0     jsr Copy_to_RAM      ; Copy 4N byte
913F: .db 92                            ; SourceH
9140: .db B0                            ; SourceL
9141: .db 02                            ; DestH
9142: .db 60                            ; DestL
9143: .db 20                            ; Bytes Count

9144: 71 00        ldp #$00             ; Load  into paging register
9146: 84           pop a                ; Stack -> A
9147: 87           eret                 ; eret
##################################################################
;Add Dt08 Module
91C0: A1 2A        cmp #$2A             ; Compare with A
91C2: 26 02        bne $91C6            ; Branch if <>
91C4: 87           eret                 ; eret
91C5: 1A 
91C6: A1 2B        cmp #$2B             ; Compare with A
91C8: 26 02        bne $91CC            ; Branch if <>
91CA: 20 07        bra $91D3            ; Branch always
91CC: A1 22        cmp #$22             ; Compare with A
91CE: 26 02        bne $91D2            ; Branch if <>
91D0: 20 2E        bra $9200            ; Branch always
91D2: 87           eret                 ; eret
91D3: 9D           nop                  ; No operation
91D4: 87           eret                 ; eret

9200: C6 0D FF     lda IOBUFFER+7       ; Load in A
9203: A1 08        cmp #$08             ; Compare with A	Dt08
9205: 27 04        beq $920B            ; Branch if =
9207: C6 0D FD     lda IOBUFFER+5       ; Load in A
920A: 87           eret                 ; eret
920B: 9D           nop                  ; No operation
920C: 9D           nop                  ; No operation
920D: 9D           nop                  ; No operation
920E: 9D           nop                  ; No operation
920F: 9D           nop                  ; No operation
9210: 71 80        ldp #$80             ; Load into paging register
9212: CD 5A C0     jsr Copy_to_RAM      ; Copy 4N byte
9215: .db 92                            ; SourceH		location
9216: .db 31                            ; SourceL
9217: .db 0D                            ; DestH
9218: .db FA                            ; DestL			dest
9219: .db 60                            ; Bytes Count

921A: A6 04        lda #$04             ; Load in A
921C: 71 00        ldp #$00             ; Load  into paging register
921E: 9D           nop                  ; No operation
921F: 9D           nop                  ; No operation
9220: A6 A2        lda #$A2             ; Load in A
9222: AE 53        ldx #$53             ; Load in X
9224: CC 64 7E     jmp $647E            ; Jump		RespondX_2

#####################################################################################################
Rebelserf omni unlocker dasm
2100588ECA9D9D9D9D559D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D71801864A64BB76BCD7C1630C0B5021864CD7C168219B7071864CD7C163176BE08CC7A95FFBFA1FF270187BC88011E050060DB82199D9DE49D9D9D88

0076: 9D           nop                  ; No operation
0077: 9D           nop                  ; No operation
0078: 9D           nop                  ; No operation
0079: 9D           nop                  ; No operation
007A: 55           
007B: 9D           nop                  ; No operation
007C: 9D           nop                  ; No operation
007D: 9D           nop                  ; No operation
007E: 9D           nop                  ; No operation
007F: 9D           nop                  ; No operation
0080: 9D           nop                  ; No operation
0081: 9D           nop                  ; No operation
0082: 9D           nop                  ; No operation
0083: 9D           nop                  ; No operation
0084: 9D           nop                  ; No operation
0085: 9D           nop                  ; No operation
0086: 9D           nop                  ; No operation
0087: 9D           nop                  ; No operation
0088: 9D           nop                  ; No operation
0089: 9D           nop                  ; No operation
008A: 9D           nop                  ; No operation
008B: 9D           nop                  ; No operation
008C: 9D           nop                  ; No operation
008D: 9D           nop                  ; No operation
008E: 9D           nop                  ; No operation
008F: 9D           nop                  ; No operation
0090: 9D           nop                  ; No operation
0091: 71           ldp $X               ; Load  into paging register
0092: 80           rti                  ; Return from interrupt

0093: 18 64        bset4 STATS5         ; Bit 4 <-- 1
0095: A6 4B        lda #$4B             ; Load in A
0097: B7 6B        sta EEWRITEOKBITS    ; Store A in...
0099: CD 7C 16     jsr Jmp_WriteRowEE_AfromXtoRC1_init; Copy 4N byte
009C: .dw 30 C0                         ; DST
009E: .db B5                            ; SRC
009F: .db 02                            ; LEN

00A0: 18 64        bset4 STATS5         ; Bit 4 <-- 1
00A2: CD 7C 16     jsr Jmp_WriteRowEE_AfromXtoRC1_init; Copy 4N byte
00A5: .dw 82 19                         ; DST
00A7: .db B7                            ; SRC
00A8: .db 07                            ; LEN

00A9: 18 64        bset4 STATS5         ; Bit 4 <-- 1
00AB: CD 7C 16     jsr Jmp_WriteRowEE_AfromXtoRC1_init; Copy 4N byte
00AE: .dw 31 76                         ; DST
00B0: .db BE                            ; SRC
00B1: .db 08                            ; LEN

00B2: CC 7A 95     jmp SW9000_0         ; Send SW9000


 BYTES DUMP:
---------------------
00B5: FF BF A1 FF 27 01 87 BC 
00BD: 88 01 1E 05 00 60 DB 82 
00C5: 19 9D 9D E4 9D 9D 9D 88 


#####################################################################################################
#####################################################################################################
#section
#
#####################################################################################################



#####################################################################################################
#####################################################################################################
#section
#
#####################################################################################################